CVE-2022-41713

2022-11-0320:15:31

CWE-1321

Fluid Attacks

web.nvd.nist.gov

deep-object-diff

1.1.0

security vulnerability

cve-2022-41713

nvd

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

36.9%

JSON

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the ‘proto’ property to be edited.

Affected configurations

Nvd

Node

deep-object-diff_projectdeep-object-diffMatch1.1.0node.js

VendorProductVersionCPE
deep-object-diff_projectdeep-object-diff1.1.0cpe:2.3:a:deep-object-diff_project:deep-object-diff:1.1.0:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
deep-object-diff_project	deep-object-diff	1.1.0	cpe:2.3:a:deep-object-diff_project:deep-object-diff:1.1.0:::::node.js::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "deep-object-diff",
    "versions": [
      {
        "version": "1.1.0",
        "status": "affected"
      }
    ]
  }
]