CVE-2022-41713 deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the ‘proto’ property to be edited.
CVEID:CVE-2022-41713
**DESCRIPTION:**Node.js deep-object-diff module is vulnerable to a denial of service, caused by a prototype pollution flaw. By failing to properly validate incoming JSON keys, a remote attacker could exploit this vulnerability to edit or add new properties to an object.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239575 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
UCV - UrbanCode Velocity | All |
Upgrade to 4.0.6 or later
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+UrbanCode+Velocity&release=All&platform=All&function=all
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm urbancode velocity | eq | 2.3.5 |