Lucene search

Veracode Vulnerability DatabaseVERACODE:42844

HistoryAug 18, 2023 - 3:26 a.m.

Prototype Pollution

2023-08-1803:26:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

tree-kit

prototype pollution

vulnerability

extend function

unflat option

arbitrary properties

object's prototype

arbitrary code

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

79.3%

JSON

tree-kit is vulnerable to Prototype Pollution. The vulnerability occurs because the extend function when the unflat option is set can be used to add arbitrary properties to an object , including properties that are not defined in the object’s prototype which allows an attacker to execute arbitrary code.

References

tree-kit.com

github.com/advisories/GHSA-5p42-m6f3-hpmj

github.com/cronvel/tree-kit

github.com/cronvel/tree-kit/commit/61bf10cf0dbddaeea3f198cfe7cb469f360d82bc

github.com/cronvel/tree-kit/releases/tag/v0.7.5

www.code-intelligence.com/blog/treekit-prototype-pollution-cve-2023-38894

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

79.3%

JSON

Related for VERACODE:42844