Lucene search

SnykCVELIST:CVE-2021-23470

HistoryFeb 04, 2022 - 8:05 p.m.

CVE-2021-23470 Prototype Pollution

2022-02-0420:05:12

snyk

www.cve.org

cve-2021-23470

prototype pollution

putil-merge before 3.8.0

merge() function

constructor property

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P

AI Score

9.7

Confidence

High

EPSS

0.003

Percentile

66.0%

JSON

This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077

CNA Affected

[
  {
    "product": "putil-merge",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "3.8.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/panates/putil-merge/commit/476d00078dfb2827d7c9ee0f2392c81b864f7bc5

snyk.io/vuln/SNYK-JS-PUTILMERGE-2391487

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P

AI Score

9.7

Confidence

High

EPSS

0.003

Percentile

66.0%

JSON

Related for CVELIST:CVE-2021-23470