Lucene search

GoogleOSV:CVE-2022-25948

HistoryDec 22, 2022 - 5:15 a.m.

CVE-2022-25948

2022-12-2205:15:10

Google

osv.dev

liquidjs

information exposure

ownpropertyonly

prototype

workaround

disable functionality

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

47.8%

JSON

The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.

CPENameOperatorVersion
liquidjseq2.1.4
liquidjseq8.0.2
liquidjseq9.25.1
liquidjseq6.1.1
liquidjseq7.2.2
liquidjseq6.4.2
liquidjseq8.2.0
liquidjseq9.15.1
liquidjseq3.1.3
liquidjseq8.0.3

Name	Operator	Version
liquidjs	eq	2.1.4
liquidjs	eq	8.0.2
liquidjs	eq	9.25.1
liquidjs	eq	6.1.1
liquidjs	eq	7.2.2
liquidjs	eq	6.4.2
liquidjs	eq	8.2.0
liquidjs	eq	9.15.1
liquidjs	eq	3.1.3
liquidjs	eq	8.0.3

Rows per page:

1-10 of 1711

References

github.com/harttle/liquidjs/commit/7e99efc5131e20cf3f59e1fc2c371a15aa4109db

github.com/harttle/liquidjs/commit/7eb621601c2b05d6e379e5ce42219f2b1f556208

github.com/harttle/liquidjs/issues/454

groups.google.com/u/0/a/snyk.io/g/report/c/9ipXecWRtTM/m/IgLadevtCQAJ

security.snyk.io/vuln/SNYK-JS-LIQUIDJS-2952868

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

47.8%

JSON

Related for OSV:CVE-2022-25948