CVE-2021-21297

Опубликовано: 26 фев. 2021

Источник: nvd

CVSS3: 7.7

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.

Ссылки

https://github.com/node-red/node-red/releases/tag/1.2.8
Release Notes
Third Party Advisory
https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
Third Party Advisory
https://www.npmjs.com/package/%40node-red/editor-api
https://www.npmjs.com/package/%40node-red/runtime
https://github.com/node-red/node-red/releases/tag/1.2.8
Release Notes
Third Party Advisory
https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67
Third Party Advisory
https://www.npmjs.com/package/%40node-red/editor-api
https://www.npmjs.com/package/%40node-red/runtime

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nodered:node-red:*:*:*:*:*:node.js:*:*

Версия до 1.2.8 (исключая)

EPSS

Процентиль: 55%

0.00327

Низкий

7.7 High

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-915

CWE-1321

Связанные уязвимости

GHSA-xp9c-82x8-7f67

CVSS3: 7.7

github

почти 5 лет назад

Prototype Pollution in Node-Red

BDU:2023-08025

CVSS3: 7.7

fstec

почти 5 лет назад

Уязвимость реализации прикладного программного интерфейса графического программного средства создания потоковых приложений Node-Red, позволяющая нарушителю изменить прототип объекта JavaScript по умолчанию

EPSS

Процентиль: 55%

0.00327

Низкий

7.7 High

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-915

CWE-1321