CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3757 – Prototype Pollution in immerjs/immer
https://notcve.org/view.php?id=CVE-2021-3757
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') immer es vulnerable a una Modificación Controlada Inapropiada de Atributos de Prototipos de Objetos ("Contaminación de Prototipos") A flaw was found in immer when manipulates object attributes such as _proto_, constructor and prototype. An attacker can manipulate these values by overwriting and polluting them. Those attributes would be inherited by JavaScript objects which could trigger exception handlers and leading into a denial of service attack. • https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237 https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa https://access.redhat.com/security/cve/CVE-2021-3757 https://bugzilla.redhat.com/show_bug.cgi?id=2000734 • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-23436 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23436
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type. Esto afecta al paquete immer versiones anteriores a 9.0.6. • https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266 https://snyk.io/vuln/SNYK-JS-IMMER-1540542 https://access.redhat.com/security/cve/CVE-2021-23436 https://bugzilla.redhat.com/show_bug.cgi?id=2041833 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2020-28477 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-28477
This affects all versions of package immer. Esto afecta a todas las versiones del paquete immer • https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986 https://snyk.io/vuln/SNYK-JS-IMMER-1019369 https://access.redhat.com/security/cve/CVE-2020-28477 https://bugzilla.redhat.com/show_bug.cgi?id=1918162 • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •