Описание
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
A flaw was found in the dset package via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains a proto, constructor, or prototype. This flaw allows an attacker to craft a malicious object, bypassing this check and achieving prototype pollution.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-ui-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-grafana-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-must-gather-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-operator-bundle-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | application-ui-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | assisted-image-service-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cert-policy-controller-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cluster-backup-operator-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | clusterclaims-controller-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
| Red Hat Advanced Cluster Management for Kubernetes 2 | cluster-curator-controller-container | Fixed | RHSA-2022:5201 | 27.06.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
EPSS
6.5 Medium
CVSS3