CVSS: 9.8EPSS: 6%CPEs: 3EXPL: 3CVE-2021-23440 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23440
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays. Esto afecta al paquete set-value anterior a la versión 2.0.1, posterior o igual a la versión 3.0.0 y anterior a la versión 4.0.1. Una vulnerabilidad de confusión de tipos puede conducir a una derivación de CVE-2019-10747 cuando las claves proporcionadas por el usuario utilizadas en el parámetro de ruta son matrices A type confusion vulnerability in nodejs-set-value can lead to a bypass of CVE-2019-10747. If the user-provided keys used in the path parameter are arrays, the function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. • https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 https://github.com/jonschlinkert/set-value/pull/33 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212 https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541 https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2021-23440 https://bugzilla.redhat.com/show_bug.cgi?id=2004944 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2019-10747 – nodejs-set-value: prototype pollution in function set-value
https://notcve.org/view.php?id=CVE-2019-10747
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads. set-value es vulnerable a Prototype Pollution en versiones anteriores a 2.0.1 y la versión 3.0.0. La función mixin-deep podría ser engañada para agregar o modificar propiedades de Object.prototype usando cualquiera de las cargas útiles de constructor, prototipo y _proto_ payloads. A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. • https://github.com/ossf-cve-benchmark/CVE-2019-10747 https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 https://access.redhat.com/security/cve/CVE-2019-10747 https://bugzi • CWE-400: Uncontrolled Resource Consumption CWE-471: Modification of Assumed-Immutable Data (MAID) •