Lucene search

GitHub Advisory DatabaseGHSA-8F89-2FWJ-5V5R

HistoryApr 13, 2021 - 3:41 p.m.

Improper Input Validation in klona

2021-04-1315:41:24

CWE-20

GitHub Advisory Database

github.com

improper input validation

klona

npm package

prototype pollution attack

remote code execution

denial of service

applications

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.015

Percentile

86.8%

JSON

Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.

Affected configurations

Vulners

Node

klona_projectklonaRange≤1.1.0node.js

VendorProductVersionCPE
klona_projectklona*cpe:2.3:a:klona_project:klona:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
klona_project	klona	*	cpe:2.3:a:klona_project:klona::::::node.js::*

References

github.com/advisories/GHSA-8f89-2fwj-5v5r

github.com/lukeed/klona/commit/200e8d1fd383a54790ee6fc8228264c21954e38e

hackerone.com/reports/778414

nvd.nist.gov/vuln/detail/CVE-2020-8125

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.015

Percentile

86.8%

JSON

Related for GHSA-8F89-2FWJ-5V5R