CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-23438 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23438
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). • https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548 https://snyk.io/vuln/SNYK-JS-MPATH-1577289 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-16490
https://notcve.org/view.php?id=CVE-2018-16490
A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. Una vulnerabilidad de contaminación de prototipo en el módulo mpath, en versiones anteriores a la 0.5.1, que podría permitir a un atacante inyectar propiedades arbitrarias en Object.prototype. • https://github.com/ossf-cve-benchmark/CVE-2018-16490 https://hackerone.com/reports/390860 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-400: Uncontrolled Resource Consumption •