GitHub Advisory DatabaseGHSA-PC58-WGMC-HFJRPrototype Pollution in mout
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
88.0%
This affects all versions of package mout. The deepFillIn function can be used to ‘fill missing properties recursively’, while the deepMixIn ‘mixes objects into the target object, recursively mixing existing child objects as well’. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.
Affected configurations
References
github.com/advisories/GHSA-pc58-wgmc-hfjr
github.com/mout/mout/blob/master/src/object/deepFillIn.js
github.com/mout/mout/blob/master/src/object/deepMixIn.js
github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605
nvd.nist.gov/vuln/detail/CVE-2020-7792
snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373
snyk.io/vuln/SNYK-JS-MOUT-1014544
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
88.0%