Lucene search

[email protected]NVD:CVE-2021-23447

HistoryOct 07, 2021 - 5:15 p.m.

CVE-2021-23447

2021-10-0717:15:08

CWE-843

[email protected]

web.nvd.nist.gov

package teddy

vulnerability

type confusion

bypass input sanitization

model content

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

This affects the package teddy before 0.5.9. A type confusion vulnerability can be used to bypass input sanitization when the model content is an array (instead of a string).

Affected configurations

Nvd

Node

teddy_projectteddyRange<0.5.9node.js

VendorProductVersionCPE
teddy_projectteddy*cpe:2.3:a:teddy_project:teddy:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
teddy_project	teddy	*	cpe:2.3:a:teddy_project:teddy::::::node.js::*

References

github.com/rooseveltframework/teddy/pull/518

github.com/rooseveltframework/teddy/releases/tag/0.5.9

snyk.io/vuln/SNYK-JS-TEDDY-1579557

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

Related for NVD:CVE-2021-23447

osv2 prion1 cve1 veracode1 github1 cvelist1