Vulnerability-Lookup

WID-SEC-W-2022-1603

Vulnerability from csaf_certbund - Published: 2022-10-03 22:00 - Updated: 2026-03-24 23:00

Summary

IBM Tivoli Netcool/OMNIbus: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Tivoli Netcool/OMNIbus ist eine Software zum Betriebsmanagement von IBM.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Tivoli Netcool/OMNIbus ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2017-16028

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2018-3719

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2018-3745

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2018-6341

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2019-10746

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2019-10747

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2020-15168

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2020-7733

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2020-7774

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2020-7788

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2020-7793

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-23362

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-23440

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-25949

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-27292

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-32803

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-32804

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-37701

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-37712

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-37713

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2021-42740

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2022-0235

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2022-25758

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

CVE-2022-25858

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
IBM Tivoli Netcool/OMNIbus 8.1.0 IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29`	8.1.0
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.ibm.com/support/pages/node/6825871	external
https://www.ibm.com/support/pages/node/7266699	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Tivoli Netcool/OMNIbus ist eine Software zum Betriebsmanagement von IBM.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Tivoli Netcool/OMNIbus ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1603 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1603.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1603 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1603"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2022-10-03",
        "url": "https://www.ibm.com/support/pages/node/6825871"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7266699 vom 2026-03-24",
        "url": "https://www.ibm.com/support/pages/node/7266699"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM Tivoli Netcool/OMNIbus: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-24T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-25T10:21:14.247+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2022-1603",
      "initial_release_date": "2022-10-03T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-10-03T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-24T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM InfoSphere Information Server",
            "product": {
              "name": "IBM InfoSphere Information Server",
              "product_id": "T035705",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:infosphere_information_server:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.1.0",
                "product": {
                  "name": "IBM Tivoli Netcool/OMNIbus 8.1.0",
                  "product_id": "T023768",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0.29"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tivoli Netcool/OMNIbus"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-16028",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2017-16028"
    },
    {
      "cve": "CVE-2018-3719",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2018-3719"
    },
    {
      "cve": "CVE-2018-3745",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2018-3745"
    },
    {
      "cve": "CVE-2018-6341",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2018-6341"
    },
    {
      "cve": "CVE-2019-10746",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2019-10746"
    },
    {
      "cve": "CVE-2019-10747",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2019-10747"
    },
    {
      "cve": "CVE-2020-15168",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2020-15168"
    },
    {
      "cve": "CVE-2020-7733",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2020-7733"
    },
    {
      "cve": "CVE-2020-7774",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2020-7774"
    },
    {
      "cve": "CVE-2020-7788",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2020-7788"
    },
    {
      "cve": "CVE-2020-7793",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2020-7793"
    },
    {
      "cve": "CVE-2021-23362",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-23362"
    },
    {
      "cve": "CVE-2021-23440",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-23440"
    },
    {
      "cve": "CVE-2021-25949",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-25949"
    },
    {
      "cve": "CVE-2021-27292",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-27292"
    },
    {
      "cve": "CVE-2021-32803",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-32803"
    },
    {
      "cve": "CVE-2021-32804",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-32804"
    },
    {
      "cve": "CVE-2021-37701",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-37701"
    },
    {
      "cve": "CVE-2021-37712",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-37712"
    },
    {
      "cve": "CVE-2021-37713",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-37713"
    },
    {
      "cve": "CVE-2021-42740",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2021-42740"
    },
    {
      "cve": "CVE-2022-0235",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2022-0235"
    },
    {
      "cve": "CVE-2022-25758",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2022-25758"
    },
    {
      "cve": "CVE-2022-25858",
      "product_status": {
        "known_affected": [
          "T023768",
          "T035705"
        ]
      },
      "release_date": "2022-10-03T22:00:00.000+00:00",
      "title": "CVE-2022-25858"
    }
  ]
}

CVE-2017-16028 (GCVE-0-2017-16028)

Vulnerability from cvelistv5 – Published: 2018-06-04 19:00 – Updated: 2024-09-17 02:06

Summary

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Severity

No CVSS data available.

CWE

CWE-330 - Use of Insufficiently Random Values (CWE-330)

Assigner

hackerone

References

2 references

URL	Tags
https://github.com/tableflip/react-native-meteor-…	x_refsource_MISC
https://nodesecurity.io/advisories/157	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
HackerOne	react-native-meteor-oauth node module	Affected: All versions

Date Public

2018-04-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:13:06.616Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nodesecurity.io/advisories/157"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "react-native-meteor-oauth node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random())."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "Use of Insufficiently Random Values (CWE-330)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-04T18:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nodesecurity.io/advisories/157"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2017-16028",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "react-native-meteor-oauth node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random())."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Use of Insufficiently Random Values (CWE-330)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66",
              "refsource": "MISC",
              "url": "https://github.com/tableflip/react-native-meteor-oauth/blob/a7eb738b74c469f5db20296b44b7cae4e2337435/src/meteor-oauth.js#L66"
            },
            {
              "name": "https://nodesecurity.io/advisories/157",
              "refsource": "MISC",
              "url": "https://nodesecurity.io/advisories/157"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-16028",
    "datePublished": "2018-06-04T19:00:00.000Z",
    "dateReserved": "2017-10-29T00:00:00.000Z",
    "dateUpdated": "2024-09-17T02:06:18.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-3719 (GCVE-0-2018-3719)

Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-17 04:19

Summary

mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Severity

No CVSS data available.

CWE

CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)

Assigner

hackerone

References

2 references

URL	Tags
https://github.com/jonschlinkert/mixin-deep/commi…	x_refsource_MISC
https://hackerone.com/reports/311236	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
HackerOne	mixin-deep node module	Affected: Versions before 1.3.1

Date Public

2018-04-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T04:50:30.481Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/311236"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mixin-deep node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before 1.3.1"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-471",
              "description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-07T01:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/311236"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-04-26T00:00:00",
          "ID": "CVE-2018-3719",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mixin-deep node module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before 1.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c",
              "refsource": "MISC",
              "url": "https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c"
            },
            {
              "name": "https://hackerone.com/reports/311236",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/311236"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2018-3719",
    "datePublished": "2018-06-07T02:00:00.000Z",
    "dateReserved": "2017-12-28T00:00:00.000Z",
    "dateUpdated": "2024-09-17T04:19:14.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-3745 (GCVE-0-2018-3745)

Vulnerability from cvelistv5 – Published: 2018-05-29 20:00 – Updated: 2024-09-17 03:59

Summary

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.

Severity

No CVSS data available.

CWE

CWE-125 - Out-of-bounds Read (CWE-125)

Assigner

hackerone

References

2 references

URL	Tags
https://hackerone.com/reports/321686
https://security.netapp.com/advisory/ntap-2023062…

Impacted products

1 product

Vendor	Product	Version
HackerOne	atob node module	Affected: <=2.0.3

Date Public

2018-04-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T04:50:30.728Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/321686"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230622-0009/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "atob node module",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c=2.0.3"
            }
          ]
        }
      ],
      "datePublic": "2018-04-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "Out-of-bounds Read (CWE-125)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-22T00:00:00.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/321686"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230622-0009/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2018-3745",
    "datePublished": "2018-05-29T20:00:00.000Z",
    "dateReserved": "2017-12-28T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:59:23.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-6341 (GCVE-0-2018-6341)

Vulnerability from cvelistv5 – Published: 2018-12-31 22:00 – Updated: 2025-05-06 16:54

Summary

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (CWE-79)

Assigner

facebook

References

2 references

URL	Tags
https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html	x_refsource_MISC
https://twitter.com/reactjs/status/1024745321987887104	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Facebook	react-dom	Affected: 16.4.2 Affected: 16.4.0 , < unspecified (custom) Affected: 16.3.3 Affected: 16.3.0 , < unspecified (custom) Affected: 16.2.1 Affected: 16.2.0 , < unspecified (custom) Affected: 16.1.2 Affected: 16.1.0 , < unspecified (custom) Affected: 16.0.1 Affected: 16.0.0 , < unspecified (custom) Unaffected: unspecified , < 16.0.0 (custom)

Date Public

2018-12-31 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:01:48.794Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/reactjs/status/1024745321987887104"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2018-6341",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T16:54:12.196558Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T16:54:17.932Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "react-dom",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "16.4.2"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.4.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.3.3"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.3.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.2.1"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.2.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.1.2"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.1.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.0.1"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "16.0.0",
              "status": "unaffected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2018-08-01T00:00:00.000Z",
      "datePublic": "2018-12-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-31T21:57:01.000Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/reactjs/status/1024745321987887104"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2018-08-01",
          "ID": "CVE-2018-6341",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "react-dom",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.4.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.4.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.3.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.3.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.2.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.2.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.1.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.1.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.0.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.0.0"
                          },
                          {
                            "version_affected": "!\u003c",
                            "version_value": "16.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
              "refsource": "MISC",
              "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
            },
            {
              "name": "https://twitter.com/reactjs/status/1024745321987887104",
              "refsource": "MISC",
              "url": "https://twitter.com/reactjs/status/1024745321987887104"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2018-6341",
    "datePublished": "2018-12-31T22:00:00.000Z",
    "dateReserved": "2018-01-26T00:00:00.000Z",
    "dateUpdated": "2025-05-06T16:54:17.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10746 (GCVE-0-2019-10746)

Vulnerability from cvelistv5 – Published: 2019-08-23 16:43 – Updated: 2024-08-04 22:32

Summary

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Severity

No CVSS data available.

CWE

Prototype Pollution

Assigner

snyk

References

4 references

URL	Tags
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
n/a	mixin-deep	Affected: All versions before 1.3.2 and version 2.0.0.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:32:01.518Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2020-f80e5c0d65",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/"
          },
          {
            "name": "FEDORA-2020-4a8f110332",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mixin-deep",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 1.3.2 and version 2.0.0."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Prototype Pollution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T22:53:26.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "name": "FEDORA-2020-f80e5c0d65",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/"
        },
        {
          "name": "FEDORA-2020-4a8f110332",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2019-10746",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mixin-deep",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions before 1.3.2 and version 2.0.0."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Prototype Pollution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2020-f80e5c0d65",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/"
            },
            {
              "name": "FEDORA-2020-4a8f110332",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2019-10746",
    "datePublished": "2019-08-23T16:43:49.000Z",
    "dateReserved": "2019-04-03T00:00:00.000Z",
    "dateUpdated": "2024-08-04T22:32:01.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10747 (GCVE-0-2019-10747)

Vulnerability from cvelistv5 – Published: 2019-08-23 16:46 – Updated: 2024-08-04 22:32

Summary

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

Severity

No CVSS data available.

CWE

Prototype Pollution

Assigner

snyk

References

4 references

URL	Tags
https://snyk.io/vuln/SNYK-JS-SETVALUE-450213	x_refsource_MISC
https://lists.apache.org/thread.html/b46f35559c4a…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

1 product

Vendor	Product	Version
n/a	set-value	Affected: All versions before 2.0.1 and version 3.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:32:01.472Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"
          },
          {
            "name": "[drat-dev] 20191029 [GitHub] [drat] ottlinger opened a new issue #202: Fix security issue in set-value",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E"
          },
          {
            "name": "FEDORA-2020-1f1c94907b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"
          },
          {
            "name": "FEDORA-2020-582515fa8a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "set-value",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 2.0.1 and version 3.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Prototype Pollution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-08T03:06:21.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"
        },
        {
          "name": "[drat-dev] 20191029 [GitHub] [drat] ottlinger opened a new issue #202: Fix security issue in set-value",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E"
        },
        {
          "name": "FEDORA-2020-1f1c94907b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"
        },
        {
          "name": "FEDORA-2020-582515fa8a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2019-10747",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "set-value",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions before 2.0.1 and version 3.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Prototype Pollution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"
            },
            {
              "name": "[drat-dev] 20191029 [GitHub] [drat] ottlinger opened a new issue #202: Fix security issue in set-value",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E"
            },
            {
              "name": "FEDORA-2020-1f1c94907b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"
            },
            {
              "name": "FEDORA-2020-582515fa8a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2019-10747",
    "datePublished": "2019-08-23T16:46:36.000Z",
    "dateReserved": "2019-04-03T00:00:00.000Z",
    "dateUpdated": "2024-08-04T22:32:01.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-15168 (GCVE-0-2020-15168)

Vulnerability from cvelistv5 – Published: 2020-09-10 18:25 – Updated: 2024-08-04 13:08

Title

File size limit bypass in node-fetch

Summary

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Severity

2.6 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation
CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/node-fetch/node-fetch/security…	x_refsource_CONFIRM
https://www.npmjs.com/package/node-fetch	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
node-fetch	node-fetch	Affected: <2.6.1 Affected: >3.0.0-beta.1, <3.0.0-beta.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:22.463Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/package/node-fetch"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-fetch",
          "vendor": "node-fetch",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c2.6.1"
            },
            {
              "status": "affected",
              "version": "\u003e3.0.0-beta.1, \u003c3.0.0-beta.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don\u0027t double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-10T18:25:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/package/node-fetch"
        }
      ],
      "source": {
        "advisory": "GHSA-w7rc-rwvf-8q5r",
        "discovery": "UNKNOWN"
      },
      "title": "File size limit bypass in node-fetch",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15168",
          "STATE": "PUBLIC",
          "TITLE": "File size limit bypass in node-fetch"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "node-fetch",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c2.6.1"
                          },
                          {
                            "version_value": "\u003e3.0.0-beta.1, \u003c3.0.0-beta.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "node-fetch"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don\u0027t double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-770 Allocation of Resources Without Limits or Throttling"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r",
              "refsource": "CONFIRM",
              "url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r"
            },
            {
              "name": "https://www.npmjs.com/package/node-fetch",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/package/node-fetch"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-w7rc-rwvf-8q5r",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15168",
    "datePublished": "2020-09-10T18:25:13.000Z",
    "dateReserved": "2020-06-25T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:08:22.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-7733 (GCVE-0-2020-7733)

Vulnerability from cvelistv5 – Published: 2020-09-16 14:10 – Updated: 2024-09-17 04:00

Title

Regular Expression Denial of Service (ReDoS)

Summary

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Regular Expression Denial of Service (ReDoS)

Assigner

snyk

References

5 references

URL	Tags
https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226	x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665	x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGIT…	x_refsource_MISC
https://github.com/faisalman/ua-parser-js/commit/…	x_refsource_MISC
https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
n/a	ua-parser-js	Affected: unspecified , < 0.7.22 (custom)

Date Public

2020-09-16 00:00

Credits

Yeting Li

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:41:01.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ua-parser-js",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "0.7.22",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Yeting Li"
        }
      ],
      "datePublic": "2020-09-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Regular Expression Denial of Service (ReDoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T22:55:28.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        }
      ],
      "title": "Regular Expression Denial of Service (ReDoS)",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "DATE_PUBLIC": "2020-09-16T14:05:24.850939Z",
          "ID": "CVE-2020-7733",
          "STATE": "PUBLIC",
          "TITLE": "Regular Expression Denial of Service (ReDoS)"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ua-parser-js",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "0.7.22"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Yeting Li"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Regular Expression Denial of Service (ReDoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-674665"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBFAISALMAN-674666"
            },
            {
              "name": "https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d",
              "refsource": "MISC",
              "url": "https://github.com/faisalman/ua-parser-js/commit/233d3bae22a795153a7e6638887ce159c63e557d"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-7733",
    "datePublished": "2020-09-16T14:10:14.452Z",
    "dateReserved": "2020-01-21T00:00:00.000Z",
    "dateUpdated": "2024-09-17T04:00:09.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-7774 (GCVE-0-2020-7774)

Vulnerability from cvelistv5 – Published: 2020-11-17 12:30 – Updated: 2024-09-16 20:13

Title

Prototype Pollution

Summary

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

CWE

Prototype Pollution

Assigner

snyk

References

6 references

URL	Tags
https://snyk.io/vuln/SNYK-JS-Y18N-1021887
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306
https://github.com/yargs/y18n/pull/108
https://github.com/yargs/y18n/issues/96
https://www.oracle.com/security-alerts/cpuApr2021.html
https://cert-portal.siemens.com/productcert/pdf/s…

Impacted products

1 product

Vendor	Product	Version
n/a	y18n	Affected: unspecified , < 5.0.5 (custom)

Date Public

2020-11-17 00:00

Credits

po6ix

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:41:01.338Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/yargs/y18n/pull/108"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/yargs/y18n/issues/96"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "y18n",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "5.0.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "po6ix"
        }
      ],
      "datePublic": "2020-11-17T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 6.9,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Prototype Pollution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-14T00:00:00.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887"
        },
        {
          "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306"
        },
        {
          "url": "https://github.com/yargs/y18n/pull/108"
        },
        {
          "url": "https://github.com/yargs/y18n/issues/96"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
        }
      ],
      "title": "Prototype Pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-7774",
    "datePublished": "2020-11-17T12:30:20.482Z",
    "dateReserved": "2020-01-21T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:13:29.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-7788 (GCVE-0-2020-7788)

Vulnerability from cvelistv5 – Published: 2020-12-11 10:45 – Updated: 2024-09-16 23:41

Title

Prototype Pollution

Summary

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

CWE

Prototype Pollution

Assigner

snyk

References

3 references

URL	Tags
https://snyk.io/vuln/SNYK-JS-INI-1048974	x_refsource_MISC
https://github.com/npm/ini/commit/56d2805e07ccd94…	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
n/a	ini	Affected: unspecified , < 1.3.6 (custom)

Date Public

2020-12-11 00:00

Credits

Eugene Lim Government Technology Agency Cyber Security Group

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:41:01.567Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
          },
          {
            "name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ini",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "1.3.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Eugene Lim"
        },
        {
          "lang": "en",
          "value": "Government Technology Agency Cyber Security Group"
        }
      ],
      "datePublic": "2020-12-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 6.9,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Prototype Pollution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-21T16:06:11.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
        },
        {
          "name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
        }
      ],
      "title": "Prototype Pollution",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "DATE_PUBLIC": "2020-12-11T10:43:26.139627Z",
          "ID": "CVE-2020-7788",
          "STATE": "PUBLIC",
          "TITLE": "Prototype Pollution"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ini",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.3.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Eugene Lim"
          },
          {
            "lang": "eng",
            "value": "Government Technology Agency Cyber Security Group"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Prototype Pollution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JS-INI-1048974",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
            },
            {
              "name": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1",
              "refsource": "MISC",
              "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
            },
            {
              "name": "[debian-lts-announce] 20201221 [SECURITY] [DLA 2503-1] node-ini security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-7788",
    "datePublished": "2020-12-11T10:45:14.077Z",
    "dateReserved": "2020-01-21T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:41:44.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2022-1603

CVE-2017-16028 (GCVE-0-2017-16028)

CVE-2018-3719 (GCVE-0-2018-3719)

CVE-2018-3745 (GCVE-0-2018-3745)

CVE-2018-6341 (GCVE-0-2018-6341)

CVE-2019-10746 (GCVE-0-2019-10746)

CVE-2019-10747 (GCVE-0-2019-10747)

CVE-2020-15168 (GCVE-0-2020-15168)

CVE-2020-7733 (GCVE-0-2020-7733)

CVE-2020-7774 (GCVE-0-2020-7774)

CVE-2020-7788 (GCVE-0-2020-7788)

Tags

Sightings

Nomenclature