IBM809C29BBAACEDDE530D6279C24F2684F9D2048B9E43C28C491C8E3D42F18E955Security Bulletin: CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
36.9%
Summary
CVE-2022-41713 deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the ‘proto’ property to be edited.
Vulnerability Details
CVEID:CVE-2022-41713
**DESCRIPTION:**Node.js deep-object-diff module is vulnerable to a denial of service, caused by a prototype pollution flaw. By failing to properly validate incoming JSON keys, a remote attacker could exploit this vulnerability to edit or add new properties to an object.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239575 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| UCV - UrbanCode Velocity | All |
Remediation/Fixes
Upgrade to 4.0.6 or later
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+UrbanCode+Velocity&release=All&platform=All&function=all
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | ucv_-_urbancode_velocity | 2.3.5 | cpe:2.3:a:ibm:ucv_-_urbancode_velocity:2.3.5:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
36.9%