CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-3805 – Prototype Pollution in mariocasciaro/object-path
https://notcve.org/view.php?id=CVE-2021-3805
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') object-path es vulnerable a una Modificación Inapropiada de los Atributos del Prototipo del Objeto ("Contaminación de Prototipo") A flaw was found in the object-path nodejs library when the del() function is called to validate object properties. An attacker can manipulate or alter the prototype of an object causing the modification of default properties on all objects. This could lead into a service disruption or a denial of service attack (DoS). • https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html https://access.redhat.com/security/cve/CVE-2021-3805 https://bugzilla.redhat.com/show_bug.cgi?id=2006397 • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 2CVE-2021-23434 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23434
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different. Esto afecta al paquete object-path versiones anteriores a 0.11.6. • https://github.com/mariocasciaro/object-path%230116 https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423 https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 https://access.redhat.com/security/cve/CVE-2021-23434 https://bugzilla.redhat.com/show_bug.cgi?id=1999810 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15256 – Prototype pollution in object-path
https://notcve.org/view.php?id=CVE-2020-15256
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0. • https://github.com/ossf-cve-benchmark/CVE-2020-15256 https://github.com/mariocasciaro/object-path/commit/2be3354c6c46215c7635eb1b76d80f1319403c68 https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w • CWE-20: Improper Input Validation CWE-471: Modification of Assumed-Immutable Data (MAID) •