CVE-2021-23438

Опубликовано: 01 сент. 2021

Источник: nvd

CVSS3: 5.6

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Ссылки

https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MPATH-1577289
Exploit
Third Party Advisory
https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MPATH-1577289
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mpath_project:mpath:*:*:*:*:*:node.js:*:*

Версия до 0.8.4 (исключая)

EPSS

Процентиль: 66%

0.00518

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-843

Связанные уязвимости

CVE-2021-23438

CVSS3: 5.6

redhat

больше 4 лет назад

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

GHSA-p92x-r36w-9395

CVSS3: 5.6

github

больше 4 лет назад

Type confusion in mpath

EPSS

Процентиль: 66%

0.00518

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-843