Описание
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of underscore.deep prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to deepFromFlat, which would pollute any future Objects created. Any users that have deepFromFlat or deepPick (due to its dependency on deepFromFlat) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying deepFromFlat to prevent specific keywords which will prevent this from happening.
Ссылки
- PatchThird Party Advisory
- ExploitIssue TrackingPatchThird Party Advisory
- PatchThird Party Advisory
- ExploitIssue TrackingPatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.5.3 (исключая)
cpe:2.3:a:clever:underscore.deep:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 58%
0.00363
Низкий
8.3 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-915
CWE-1321
EPSS
Процентиль: 58%
0.00363
Низкий
8.3 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-915
CWE-1321