Описание
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing __proto__ at any position other than the first. Both dottie.set() and dottie.transform() are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
A flaw was found in dottie.js, a JavaScript library for nested object access and manipulation. An incomplete fix for a previous vulnerability allows a remote attacker to bypass prototype pollution protection by placing 'proto' at any position other than the first in a dot-separated path. This vulnerability affects the dottie.set() and dottie.transform() functions. Successful exploitation can lead to unauthorized modification of object properties, potentially causing unexpected application behavior, information disclosure, or denial of service.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-pccs | Not affected | ||
| Red Hat Enterprise Linux 10 | linux-sgx | Affected | ||
| Red Hat Enterprise Linux 9 | linux-sgx | Affected | ||
| Red Hat Satellite 6 | satellite/iop-remediations-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6.3 Medium
CVSS3
Связанные уязвимости
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Dottie provides nested object access and manipulation in JavaScript. V ...
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
6.3 Medium
CVSS3