CVE-2021-28860

Опубликовано: 03 мая 2021

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

Ссылки

http://nodejs.com
Third Party Advisory
URL Repurposed
https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
Patch
Third Party Advisory
https://github.com/adaltas/node-mixme/issues/1
Issue Tracking
Third Party Advisory
https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
Patch
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210618-0005/
Third Party Advisory
https://www.npmjs.com/~david
Third Party Advisory
http://nodejs.com
Third Party Advisory
URL Repurposed
https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
Patch
Third Party Advisory
https://github.com/adaltas/node-mixme/issues/1
Issue Tracking
Third Party Advisory
https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
Patch
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210618-0005/
Third Party Advisory
https://www.npmjs.com/~david
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:adaltas:mixme:*:*:*:*:*:node.js:*:*

Версия до 0.5.1 (исключая)

EPSS

Процентиль: 78%

0.01156

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-1321

Связанные уязвимости

GHSA-r5cq-9537-9rpf