GitHub Advisory DatabaseGHSA-V9P9-535W-4285Prototype Pollution in litespeed.js and appwrite/server-ce
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.5%
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| appwrite | server-ce | * | cpe:2.3:a:appwrite:server-ce:*:*:*:*:*:*:*:* |
| litespeed.js_project | litespeed.js | * | cpe:2.3:a:litespeed.js_project:litespeed.js:*:*:*:*:*:node.js:*:* |
References
github.com/advisories/GHSA-v9p9-535w-4285
github.com/appwrite/appwrite/pull/2778
github.com/appwrite/appwrite/releases/tag/0.11.1
github.com/appwrite/appwrite/releases/tag/0.12.2
github.com/litespeed-js/litespeed.js/pull/18
nvd.nist.gov/vuln/detail/CVE-2021-23682
snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250
snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.5%