Lucene search

GitHub Advisory DatabaseGHSA-VG6V-JCG3-5MP7

HistoryJul 01, 2024 - 3:32 p.m.

@aofl/cli-lib Prototype Pollution vulnerability

2024-07-0115:32:09

CWE-1321

GitHub Advisory Database

github.com

aofl cli-lib software vulnerability prototype pollution injection denial of service dos arbitrary code.execute

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

8.4

Confidence

High

JSON

aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Affected configurations

Vulners

Node

aoflcli-libRange≤4.0.0-alpha.45

VendorProductVersionCPE
aoflcli-lib*cpe:2.3:a:aofl:cli-lib:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
aofl	cli-lib	*	cpe:2.3:a:aofl:cli-lib::::::::

References

gist.github.com/mestrtee/29636943e6989e67f38251580cbcea73

github.com/advisories/GHSA-vg6v-jcg3-5mp7

github.com/AgeOfLearning/aofl/issues/35

nvd.nist.gov/vuln/detail/CVE-2024-38987