ghsa-4jqc-8m5r-9rpr
Vulnerability from github
Published
2021-09-13 20:09
Modified
2023-11-03 20:24
Severity
Summary
Prototype Pollution in set-value
Details
This affects the package set-value. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
{
"affected": [
{
"ecosystem_specific": {
"affected_functions": [
"(set-value).validateKey"
]
},
"package": {
"ecosystem": "npm",
"name": "set-value"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "set-value-nuget"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"ecosystem_specific": {
"affected_functions": [
"(set-value).validateKey"
]
},
"package": {
"ecosystem": "npm",
"name": "set-value"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"ecosystem_specific": {
"affected_functions": [
"(set-value).validateKey"
]
},
"package": {
"ecosystem": "npm",
"name": "set-value"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23440"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-13T19:33:18Z",
"nvd_published_at": "2021-09-12T13:15:00Z",
"severity": "HIGH"
},
"details": "This affects the package `set-value`. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.",
"id": "GHSA-4jqc-8m5r-9rpr",
"modified": "2023-11-03T20:24:57Z",
"published": "2021-09-13T20:09:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/set-value/pull/33"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad"
},
{
"type": "PACKAGE",
"url": "https://github.com/jonschlinkert/set-value"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in set-value"
}
Loading...