5.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
11.9%
Affected versions of yargs-parser
are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object
, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz'
adds a bar
property with value baz
to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser
.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
CPE | Name | Operator | Version |
---|---|---|---|
yargs-parser | ge | 16.0.0 | |
yargs-parser | lt | 18.1.1 | |
yargs-parser | le | 5.0.0 | |
yargs-parser | ge | 6.0.0 | |
yargs-parser | lt | 13.1.2 | |
yargs-parser | ge | 14.0.0 | |
yargs-parser | lt | 15.0.1 |
github.com/advisories/GHSA-p9pc-299p-vxgp
github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36
github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2
nvd.nist.gov/vuln/detail/CVE-2020-7608
snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
www.npmjs.com/advisories/1500
5.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
11.9%