Lucene search

[email protected]NVD:CVE-2023-26102

HistoryFeb 24, 2023 - 5:15 a.m.

CVE-2023-26102

2023-02-2405:15:15

CWE-1321

[email protected]

web.nvd.nist.gov

rangy package

prototype pollution

extend() function

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

33.6%

JSON

All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype

Affected configurations

Nvd

Node

rangy_projectrangyMatch-node.js

VendorProductVersionCPE
rangy_projectrangy-cpe:2.3:a:rangy_project:rangy:-:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
rangy_project	rangy	-	cpe:2.3:a:rangy_project:rangy:-:::::node.js::

References

github.com/timdown/rangy/issues/478

security.snyk.io/vuln/SNYK-JS-RANGY-3175702

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

33.6%

JSON

Related for NVD:CVE-2023-26102

cve1 veracode1 osv1 github1 prion1 cvelist1 ibm1