CVE-2020-7637

Опубликовано: 06 апр. 2020

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Ссылки

https://github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01e
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431
Exploit
Third Party Advisory
https://github.com/typestack/class-transformer/commit/8f04eb9db02de708f1a20f6f2d2bb309b2fed01e
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CLASSTRANSFORMER-564431
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:class-transformer_project:class-transformer:*:*:*:*:*:node.js:*:*

Версия до 0.3.1 (исключая)

EPSS

Процентиль: 54%

0.00318

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-1321

Связанные уязвимости

GHSA-6gp3-h3jj-prx4