Описание
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
A flaw was found in object-path. A prototype pollution vulnerability has been found in object-path affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
Red Hat Advanced Cluster Management for Kubernetes 2.1 uses an affected version of object-path, but the vulnerable functionality includeInheritedProps and withInheritedProps is not present. A future update will include fixed versions of object-path, which will prevent this vulnerability being introduced.
Меры по смягчению последствий
Projects using object-path versions 0.11.0 through 0.11.4 are only exposed to this vulnerability if they use the setting includeInheritedProps: true or use the withInheritedProps instance. If you are using these versions but this setting and class are both absent from your code, the vulnerability can not be exploited.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | console-api | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | grc-ui-api | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | mcm-topology-api | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | search-api | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
A prototype pollution vulnerability has been found in `object-path` <= ...
Уязвимость функции set библиотеки object-path прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю реализовать атаку типа «загрязнение прототипа»
EPSS
9.8 Critical
CVSS3