Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2022-AVI-1025
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans IBM QRadar. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM QRadar Network Packet Capture versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 Update Package 3",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Network Packet Capture versions 7.4.x ant\u00e9rieures \u00e0 7.4.3 Fix Pack 6",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Assistant versions ant\u00e9rieures \u00e0 3.6.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-3795",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3795"
},
{
"name": "CVE-2020-7753",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7753"
},
{
"name": "CVE-2021-43307",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43307"
},
{
"name": "CVE-2022-2596",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2596"
},
{
"name": "CVE-2022-38177",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38177"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2022-0155",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0155"
},
{
"name": "CVE-2021-42581",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42581"
},
{
"name": "CVE-2022-2526",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2526"
},
{
"name": "CVE-2019-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
},
{
"name": "CVE-2022-0536",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
},
{
"name": "CVE-2022-40674",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40674"
},
{
"name": "CVE-2022-29154",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29154"
},
{
"name": "CVE-2020-28500",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28500"
},
{
"name": "CVE-2020-8203",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
},
{
"name": "CVE-2022-0235",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0235"
},
{
"name": "CVE-2020-15168",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15168"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-1025",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-11-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance,\nun contournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6838295 du 09 novembre 2022",
"url": "https://www.ibm.com/support/pages/node/6838295"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6838293 du 09 novembre 2022",
"url": "https://www.ibm.com/support/pages/node/6838293"
}
]
}
CVE-2019-10744 (GCVE-0-2019-10744)
Vulnerability from cvelistv5 – Published: 2019-07-25 23:43 – Updated: 2024-08-04 22:32
VLAI
EPSS
Summary
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Severity
No CVSS data available.
CWE
- Prototype Pollution
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2019:3024 | vendor-advisoryx_refsource_REDHAT |
| https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JS-LODASH-450202 | x_refsource_CONFIRM |
| https://security.netapp.com/advisory/ntap-2019100… | x_refsource_CONFIRM |
| https://support.f5.com/csp/article/K47105354?utm_… | x_refsource_CONFIRM |
| https://www.oracle.com/security-alerts/cpujan2021.html | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2019:3024",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20191004-0005/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to 4.17.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T14:42:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"name": "RHSA-2019:3024",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20191004-0005/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash",
"version": {
"version_data": [
{
"version_value": "All versions prior to 4.17.12"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2019:3024",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-450202",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
},
{
"name": "https://security.netapp.com/advisory/ntap-20191004-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20191004-0005/"
},
{
"name": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10744",
"datePublished": "2019-07-25T23:43:03.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15168 (GCVE-0-2020-15168)
Vulnerability from cvelistv5 – Published: 2020-09-10 18:25 – Updated: 2024-08-04 13:08
VLAI
EPSS
Title
File size limit bypass in node-fetch
Summary
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Severity
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/node-fetch/node-fetch/security… | x_refsource_CONFIRM |
| https://www.npmjs.com/package/node-fetch | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| node-fetch | node-fetch |
Affected:
<2.6.1
Affected: >3.0.0-beta.1, <3.0.0-beta.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/node-fetch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-fetch",
"vendor": "node-fetch",
"versions": [
{
"status": "affected",
"version": "\u003c2.6.1"
},
{
"status": "affected",
"version": "\u003e3.0.0-beta.1, \u003c3.0.0-beta.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don\u0027t double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-10T18:25:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/node-fetch"
}
],
"source": {
"advisory": "GHSA-w7rc-rwvf-8q5r",
"discovery": "UNKNOWN"
},
"title": "File size limit bypass in node-fetch",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15168",
"STATE": "PUBLIC",
"TITLE": "File size limit bypass in node-fetch"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node-fetch",
"version": {
"version_data": [
{
"version_value": "\u003c2.6.1"
},
{
"version_value": "\u003e3.0.0-beta.1, \u003c3.0.0-beta.9"
}
]
}
}
]
},
"vendor_name": "node-fetch"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don\u0027t double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-770 Allocation of Resources Without Limits or Throttling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r",
"refsource": "CONFIRM",
"url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
},
{
"name": "https://www.npmjs.com/package/node-fetch",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/node-fetch"
}
]
},
"source": {
"advisory": "GHSA-w7rc-rwvf-8q5r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15168",
"datePublished": "2020-09-10T18:25:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28500 (GCVE-0-2020-28500)
Vulnerability from cvelistv5 – Published: 2021-02-15 11:10 – Updated: 2024-09-16 22:15
VLAI
EPSS
Title
Regular Expression Denial of Service (ReDoS)
Summary
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Severity
5.3 (Medium)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-LODASH-1018905 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGIT… | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896 | x_refsource_MISC |
| https://github.com/lodash/lodash/blob/npm/trimEnd… | x_refsource_MISC |
| https://github.com/lodash/lodash/pull/5065 | x_refsource_MISC |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021031… | x_refsource_CONFIRM |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_CONFIRM |
Date Public
2021-02-15 00:00
Credits
Liyuan Chen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "versions prior to 4.17.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Liyuan Chen"
}
],
"datePublic": "2021-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:20.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-02-15T11:10:02.896752Z",
"ID": "CVE-2020-28500",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lodash",
"version": {
"version_data": [
{
"version_value": "versions prior to 4.17.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Liyuan Chen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"name": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"name": "https://github.com/lodash/lodash/pull/5065",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210312-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-28500",
"datePublished": "2021-02-15T11:10:16.225Z",
"dateReserved": "2020-11-12T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:15:52.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7753 (GCVE-0-2020-7753)
Vulnerability from cvelistv5 – Published: 2020-10-27 08:15 – Updated: 2024-09-16 22:03
VLAI
EPSS
Title
Regular Expression Denial of Service (ReDoS)
Summary
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Severity
7.5 (High)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-TRIM-1017038 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132 | x_refsource_MISC |
| https://github.com/component/trim/blob/master/ind… | x_refsource_MISC |
| https://lists.apache.org/thread.html/r75b8d0b8883… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r10faad1ef91… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r51ff3c2a4c7… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rb8462df3b64… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rcc7c2865a52… | mailing-listx_refsource_MLIST |
Date Public
2020-10-27 00:00
Credits
Liyuan Chen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-TRIM-1017038"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/component/trim/blob/master/index.js%23L6"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] kaxil opened a new pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75b8d0b88833d7d96afcdce3ead65e212572ead4e7a9f34d21040196%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] ryanahamilton commented on pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r10faad1ef9166d37a1a5c9142b1af7099b8ecdc5ad05c51b8ea993d9%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] kaxil closed pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r51ff3c2a4c7b8402f321eae7e624672cc2295c7bc8c12c8b871f6b0b%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] github-actions[bot] commented on pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb8462df3b6484e778905c09cd49a8912e1a302659860017ebe36da03%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] ryanahamilton closed pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcc7c2865a52b544a8e49386c6880e9b9ab29bfce1052b5569d09ee4a%40%3Ccommits.airflow.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "trim",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Liyuan Chen"
}
],
"datePublic": "2020-10-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim()."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-12T00:06:17.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-TRIM-1017038"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/component/trim/blob/master/index.js%23L6"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] kaxil opened a new pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r75b8d0b88833d7d96afcdce3ead65e212572ead4e7a9f34d21040196%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] ryanahamilton commented on pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r10faad1ef9166d37a1a5c9142b1af7099b8ecdc5ad05c51b8ea993d9%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] kaxil closed pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r51ff3c2a4c7b8402f321eae7e624672cc2295c7bc8c12c8b871f6b0b%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] github-actions[bot] commented on pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb8462df3b6484e778905c09cd49a8912e1a302659860017ebe36da03%40%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] ryanahamilton closed pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcc7c2865a52b544a8e49386c6880e9b9ab29bfce1052b5569d09ee4a%40%3Ccommits.airflow.apache.org%3E"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2020-10-27T08:12:13.243968Z",
"ID": "CVE-2020-7753",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "trim",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Liyuan Chen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim()."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-TRIM-1017038",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-TRIM-1017038"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132"
},
{
"name": "https://github.com/component/trim/blob/master/index.js%23L6",
"refsource": "MISC",
"url": "https://github.com/component/trim/blob/master/index.js%23L6"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] kaxil opened a new pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r75b8d0b88833d7d96afcdce3ead65e212572ead4e7a9f34d21040196@%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] ryanahamilton commented on pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r10faad1ef9166d37a1a5c9142b1af7099b8ecdc5ad05c51b8ea993d9@%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] kaxil closed pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r51ff3c2a4c7b8402f321eae7e624672cc2295c7bc8c12c8b871f6b0b@%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] github-actions[bot] commented on pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb8462df3b6484e778905c09cd49a8912e1a302659860017ebe36da03@%3Ccommits.airflow.apache.org%3E"
},
{
"name": "[airflow-commits] 20210511 [GitHub] [airflow] ryanahamilton closed pull request #15782: Bump ``trim`` to fix ``CVE-2020-7753``",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcc7c2865a52b544a8e49386c6880e9b9ab29bfce1052b5569d09ee4a@%3Ccommits.airflow.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7753",
"datePublished": "2020-10-27T08:15:15.542Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:03:06.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8203 (GCVE-0-2020-8203)
Vulnerability from cvelistv5 – Published: 2020-07-15 16:10 – Updated: 2024-08-04 09:56
VLAI
EPSS
Summary
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Severity
No CVSS data available.
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling (CWE-770)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/712065 | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2020072… | x_refsource_CONFIRM |
| https://github.com/lodash/lodash/issues/4874 | x_refsource_MISC |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/712065"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200724-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/issues/4874"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Not Fixed"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling (CWE-770)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:23:22.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/712065"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200724-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/issues/4874"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash",
"version": {
"version_data": [
{
"version_value": "Not Fixed"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Allocation of Resources Without Limits or Throttling (CWE-770)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/712065",
"refsource": "MISC",
"url": "https://hackerone.com/reports/712065"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200724-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200724-0006/"
},
{
"name": "https://github.com/lodash/lodash/issues/4874",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/issues/4874"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8203",
"datePublished": "2020-07-15T16:10:27.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23337 (GCVE-0-2021-23337)
Vulnerability from cvelistv5 – Published: 2021-02-15 12:15 – Updated: 2024-09-16 19:15
VLAI
EPSS
Title
Command Injection
Summary
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Severity
CWE
- Command Injection
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-LODASH-1040724 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGIT… | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932 | x_refsource_MISC |
| https://github.com/lodash/lodash/blob/ddfd9b11a01… | x_refsource_MISC |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021031… | x_refsource_CONFIRM |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_CONFIRM |
Date Public
2021-02-15 00:00
Credits
Marc Hassan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 4.17.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marc Hassan"
}
],
"datePublic": "2021-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:34.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-02-15T12:13:18.729628Z",
"ID": "CVE-2021-23337",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lodash",
"version": {
"version_data": [
{
"version_value": "prior to 4.17.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Marc Hassan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"name": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210312-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23337",
"datePublished": "2021-02-15T12:15:14.715Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:15:17.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3795 (GCVE-0-2021-3795)
Vulnerability from cvelistv5 – Published: 2021-09-15 16:23 – Updated: 2024-08-03 17:09
VLAI
EPSS
Title
Inefficient Regular Expression Complexity in sindresorhus/semver-regex
Summary
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Severity
7.5 (High)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/006624e3-35ac-448f-aab… | x_refsource_CONFIRM |
| https://github.com/sindresorhus/semver-regex/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sindresorhus | sindresorhus/semver-regex |
Affected:
unspecified , < 4.0.1
(custom)
Affected: unspecified , < 3.1.3 (custom) Unaffected: 3.1.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:08.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sindresorhus/semver-regex",
"vendor": "sindresorhus",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "3.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "semver-regex is vulnerable to Inefficient Regular Expression Complexity"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-15T16:23:49.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7"
}
],
"source": {
"advisory": "006624e3-35ac-448f-aab9-7b5183f30e28",
"discovery": "EXTERNAL"
},
"title": "Inefficient Regular Expression Complexity in sindresorhus/semver-regex",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3795",
"STATE": "PUBLIC",
"TITLE": "Inefficient Regular Expression Complexity in sindresorhus/semver-regex"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sindresorhus/semver-regex",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.0.1"
},
{
"version_affected": "\u003c",
"version_value": "3.1.3"
},
{
"version_affected": "!",
"version_value": "3.1.3"
}
]
}
}
]
},
"vendor_name": "sindresorhus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "semver-regex is vulnerable to Inefficient Regular Expression Complexity"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28"
},
{
"name": "https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7",
"refsource": "MISC",
"url": "https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7"
}
]
},
"source": {
"advisory": "006624e3-35ac-448f-aab9-7b5183f30e28",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3795",
"datePublished": "2021-09-15T16:23:49.000Z",
"dateReserved": "2021-09-11T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:09:08.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42581 (GCVE-0-2021-42581)
Vulnerability from cvelistv5 – Published: 2022-05-10 10:08 – Updated: 2024-08-04 03:38 Disputed
VLAI
EPSS
Summary
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ramda/ramda/pull/3192 | x_refsource_MISC |
| https://jsfiddle.net/3pomzw5g/2/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ramda/ramda/pull/3192"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jsfiddle.net/3pomzw5g/2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property \"__proto__\") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn\u0027t know would contain custom prototypes"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T02:55:13.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ramda/ramda/pull/3192"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jsfiddle.net/3pomzw5g/2/"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42581",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property \"__proto__\") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn\u0027t know would contain custom prototypes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ramda/ramda/pull/3192",
"refsource": "MISC",
"url": "https://github.com/ramda/ramda/pull/3192"
},
{
"name": "https://jsfiddle.net/3pomzw5g/2/",
"refsource": "MISC",
"url": "https://jsfiddle.net/3pomzw5g/2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42581",
"datePublished": "2022-05-10T10:08:13.000Z",
"dateReserved": "2021-10-18T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:38:49.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43307 (GCVE-0-2021-43307)
Vulnerability from cvelistv5 – Published: 2022-06-01 16:47 – Updated: 2024-09-17 00:35
VLAI
EPSS
Title
Exponential ReDoS in semver-regex
Summary
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Severity
5.9 (Medium)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://research.jfrog.com/vulnerabilities/semver… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| semver-regex | semver-regex |
Affected:
unspecified , < 3.1.4
(custom)
|
Date Public
2022-05-29 00:00
Credits
Denys Vozniuk from JFrog Security Research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "semver-regex",
"vendor": "semver-regex",
"versions": [
{
"changes": [
{
"at": "4.0.3",
"status": "unaffected"
}
],
"lessThan": "3.1.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Denys Vozniuk from JFrog Security Research"
}
],
"datePublic": "2022-05-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:47:38.000Z",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Exponential ReDoS in semver-regex",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@jfrog.com",
"DATE_PUBLIC": "2022-05-29T23:05:00.000Z",
"ID": "CVE-2021-43307",
"STATE": "PUBLIC",
"TITLE": "Exponential ReDoS in semver-regex"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "semver-regex",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "3.1.4"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "",
"version_value": "4.0.3"
}
]
}
}
]
},
"vendor_name": "semver-regex"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Denys Vozniuk from JFrog Security Research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method"
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/",
"refsource": "MISC",
"url": "https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/"
}
]
},
"solution": [],
"source": {
"advisory": "",
"defect": [],
"discovery": "EXTERNAL"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2021-43307",
"datePublished": "2022-06-01T16:47:38.625Z",
"dateReserved": "2021-11-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:35:50.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0155 (GCVE-0-2022-0155)
Vulnerability from cvelistv5 – Published: 2022-01-10 19:30 – Updated: 2024-08-02 23:18
VLAI
EPSS
Title
Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects
Summary
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Severity
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab6… | x_refsource_CONFIRM |
| https://github.com/follow-redirects/follow-redire… | x_refsource_MISC |
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| follow-redirects | follow-redirects/follow-redirects |
Affected:
unspecified , < 1.14.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "follow-redirects/follow-redirects",
"vendor": "follow-redirects",
"versions": [
{
"lessThan": "1.14.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:25.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"source": {
"advisory": "fc524e4b-ebb6-427d-ab67-a64181020406",
"discovery": "EXTERNAL"
},
"title": "Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0155",
"STATE": "PUBLIC",
"TITLE": "Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "follow-redirects/follow-redirects",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.14.7"
}
]
}
}
]
},
"vendor_name": "follow-redirects"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
},
{
"name": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22",
"refsource": "MISC",
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
},
"source": {
"advisory": "fc524e4b-ebb6-427d-ab67-a64181020406",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0155",
"datePublished": "2022-01-10T19:30:10.000Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…