Lucene search

Veracode Vulnerability DatabaseVERACODE:35471

HistoryMay 11, 2022 - 4:03 a.m.

Prototype Pollution

2022-05-1104:03:28

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

JSON

ramda is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the _curry2 function in the mapObjIndexed.js and modify attributes such as __proto__, constructor, and prototype. This vulnerability has been disputed and is pending further information.

CPENameOperatorVersion
ramdale0.28.0
ramdale0.28.0
ramdale0.27.2
ramdale0.21.0
ramdale0.28.0
ramdale0.28.0
ramdale0.27.2
ramdale0.21.0

Name	Operator	Version
ramda	le	0.28.0
ramda	le	0.28.0
ramda	le	0.27.2
ramda	le	0.21.0
ramda	le	0.28.0
ramda	le	0.28.0
ramda	le	0.27.2
ramda	le	0.21.0

References

github.com/advisories/GHSA-x9wq-pxpv-8p4v

github.com/ramda/ramda/commit/774f767a10f37d1f844168cb7e6412ea6660112d

github.com/ramda/ramda/pull/3192

jsfiddle.net/3pomzw5g/2/

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

JSON

Related for VERACODE:35471