Lucene search

GoogleOSV:GHSA-45RM-2893-5F49

HistoryDec 22, 2022 - 6:30 a.m.

liquidjs may leak properties of a prototype

2022-12-2206:30:15

Google

osv.dev

liquidjs

vulnerability

information exposure

prototype leak

fix

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

48.0%

JSON

The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.

CPENameOperatorVersion
liquidjslt10.0.0

CPE	Name	Operator	Version
	liquidjs	lt	10.0.0

References

github.com/harttle/liquidjs

github.com/harttle/liquidjs/commit/7e99efc5131e20cf3f59e1fc2c371a15aa4109db

github.com/harttle/liquidjs/commit/7eb621601c2b05d6e379e5ce42219f2b1f556208

github.com/harttle/liquidjs/issues/454

groups.google.com/u/0/a/snyk.io/g/report/c/9ipXecWRtTM/m/IgLadevtCQAJ

nvd.nist.gov/vuln/detail/CVE-2022-25948

security.snyk.io/vuln/SNYK-JS-LIQUIDJS-2952868

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

48.0%

JSON

Related for OSV:GHSA-45RM-2893-5F49