CVE-2022-21189

Опубликовано: 01 мая 2022

Источник: nvd

CVSS3: 7.3

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

Ссылки

https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164
Broken Link
https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DEXIE-2607042
Exploit
Third Party Advisory
https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164
Broken Link
https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-DEXIE-2607042
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:dexie:dexie:*:*:*:*:*:node.js:*:*

Версия до 3.2.2 (исключая)

cpe:2.3:a:dexie:dexie:4.0.0:alpha1:*:*:*:*:*:*

cpe:2.3:a:dexie:dexie:4.0.0:alpha2:*:*:*:*:*:*

EPSS

Процентиль: 42%

0.00204

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1321

Связанные уязвимости

GHSA-3xgx-r9j4-qw9w

CVSS3: 7.3

github

почти 4 года назад

Prototype Pollution in Dexie

EPSS

Процентиль: 42%

0.00204

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1321