GitHub Advisory DatabaseGHSA-C6H4-GC3F-HGJQPrototype Pollution in js-data
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.033 Low
EPSS
Percentile
91.3%
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of CVE-2020-28442.
Affected configurations
References
github.com/advisories/GHSA-c6h4-gc3f-hgjq
github.com/js-data/js-data/blob/master/dist/js-data.js%23L472
github.com/js-data/js-data/issues/576
github.com/js-data/js-data/issues/577
nvd.nist.gov/vuln/detail/CVE-2021-23574
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2320791
snyk.io/vuln/SNYK-JS-JSDATA-1584361
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.033 Low
EPSS
Percentile
91.3%