CVE-2021-23597

Опубликовано: 11 фев. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. Note: This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382).

Ссылки

https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066
Patch
Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1
Release Notes
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480
Exploit
Patch
Third Party Advisory
https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066
Patch
Third Party Advisory
https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1
Release Notes
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:fastify:fastify-multipart:*:*:*:*:*:fastify:*:*

Версия до 5.3.1 (исключая)

EPSS

Процентиль: 60%

0.00405

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-1321

Связанные уязвимости

GHSA-qh73-qc3p-rjv2