CVE-2021-23624

Опубликовано: 03 нояб. 2021

Источник: nvd

CVSS3: 5.6

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays.

Ссылки

https://github.com/deoxxa/dotty/commit/88f61860dcc274a07a263c32cbe9d44c24ef02d7
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DOTTY-1577292
Exploit
Mitigation
Patch
Third Party Advisory
VDB Entry
https://github.com/deoxxa/dotty/commit/88f61860dcc274a07a263c32cbe9d44c24ef02d7
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DOTTY-1577292
Exploit
Mitigation
Patch
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:dotty_project:dotty:*:*:*:*:*:*:*:*

Версия до 0.1.2 (исключая)

EPSS

Процентиль: 62%

0.00427

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-843

Связанные уязвимости

GHSA-6g47-63mv-qpgh

CVSS3: 5.6

github

около 4 лет назад

Prototype Pollution in dotty

EPSS

Процентиль: 62%

0.00427

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-843