Lucene search

GitHub Advisory DatabaseGHSA-VHXC-FHM5-QCP9

HistoryMar 18, 2022 - 12:01 a.m.

Prototype Pollution in bodymen

2022-03-1800:01:11

CWE-1321

GitHub Advisory Database

github.com

prototype pollution

bodymen

handler function

object.prototype

cve-2019-10792

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

40.2%

JSON

The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a proto payload. Note: This vulnerability derives from an incomplete fix to CVE-2019-10792

Affected configurations

Vulners

Node

bodymen_projectbodymenRange0.0.0≥node.js

VendorProductVersionCPE
bodymen_projectbodymen*cpe:2.3:a:bodymen_project:bodymen:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
bodymen_project	bodymen	*	cpe:2.3:a:bodymen_project:bodymen::::::node.js::*

References

github.com/advisories/GHSA-vhxc-fhm5-qcp9

nvd.nist.gov/vuln/detail/CVE-2022-25296

snyk.io/vuln/SNYK-JS-BODYMEN-2342623

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

40.2%

JSON

Related for GHSA-VHXC-FHM5-QCP9