GHSA-mx67-wv8x-hvv9

Опубликовано: 26 июл. 2021

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Deserialization of Untrusted Data in msgpack

Withdrawn

This advisory was withdrawn by its CNA (Snyk).

Original advisory

All versions of package msgpack are vulnerable to Deserialization of Untrusted Data via the unpack function. This does not affect the similarly named package @msgpack/msgpack.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2021-23410
https://github.com/msgpack/msgpack-node
https://github.com/msgpack/msgpack-node/blob/master/src/msgpack.cc%23L302-L335
https://snyk.io/vuln/SNYK-JS-MSGPACK-1296122

Пакеты

Наименование

msgpack

npm

Затронутые версииВерсия исправления

<= 1.0.3

Отсутствует

9.8 Critical

CVSS3

CVE ID

CVE-2021-23410

Дефекты

CWE-502

Связанные уязвимости

CVE-2021-23410

nvd

больше 4 лет назад

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

9.8 Critical

CVSS3

CVE ID

CVE-2021-23410

Дефекты

CWE-502