set-value is vulnerable to prototype pollution. Lack of validation in type of user-provided keys in the path parameter causes a bypass of CVE-2019-10747. The exploit is possible when the user-provided keys used in the path parameter are arrays.
Vendor | Product | Version | CPE |
---|---|---|---|
- | node-set-value\ | sid | cpe:2.3:a:-:node-set-value\:sid:3.0.1-2:*:*:*:*:*:*:* |
set-value_project | set-value | 3.0.0 | cpe:2.3:a:set-value_project:set-value:3.0.0:*:*:*:*:node.js:*:* |
set-value_project | set-value | * | cpe:2.3:a:set-value_project:set-value:*:*:*:*:*:node.js:*:* |
github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452
github.com/jonschlinkert/set-value/commit/b057b1b8cf986746b27a145629d593c6bb4ab7c4
github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad
github.com/jonschlinkert/set-value/pull/33
research.prod.srcclr.io/artifacts/20569
www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
www.oracle.com/security-alerts/cpujan2022.html