CVE-2021-23438

Опубликовано: 01 сент. 2021

Источник: redhat

CVSS3: 5.6

EPSS Низкий

Описание

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['proto']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Отчет

The vulnerable component is no longer shipped with Red Hat Advanced Cluster Management for Kubernetes.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Advanced Cluster Management for Kubernetes 2	mpath	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2000982mpath: type confusion can lead to a bypass of CVE-2018-16490

EPSS

Процентиль: 66%

0.00518

Низкий

5.6 Medium

CVSS3

Связанные уязвимости

CVE-2021-23438

CVSS3: 5.6

nvd

больше 4 лет назад

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

GHSA-p92x-r36w-9395

CVSS3: 5.6

github

больше 4 лет назад

Type confusion in mpath

EPSS

Процентиль: 66%

0.00518

Низкий

5.6 Medium

CVSS3