Описание
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
Отчет
Prototype Pollution is rated with as Important severity issue because it exploits the fundamental inheritance mechanism of JavaScript objects, allowing an attacker to maliciously alter the global Object.prototype. This can lead to widespread and unpredictable behavior across the entire application, as all objects inherit from this polluted prototype. The consequences can range from denial of service (DoS), where important functions like toString() are rendered unusable, to remote code execution (RCE), where injected properties are executed in privileged contexts. rhdh-hub-container 1.2 include the patch for this vulnerability starting at 1.2.5
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | dset | Not affected | ||
| Red Hat Developer Hub | rhdh-operator-container | Not affected | ||
| Red Hat Developer Hub 1.3 on RHEL 9 | rhdh/rhdh-hub-rhel9 | Fixed | RHBA-2024:7523 | 02.10.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
EPSS
8.2 High
CVSS3