New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2021–44906 #27

Open

debricked wants to merge 1 commit into main from debricked-fix-CVE_2021_44906-e6b6c01af24afd80

debricked bot commented May 14, 2022

CVE–2021–44906

Vulnerable dependency: minimist (npm) 1.2.5 0.0.8 1.2.0 0.0.10

Vulnerability details

Description

NVD

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

GitHub

Prototype Pollution in minimist

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS details -

9.8

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Prototype Pollution in minimist · CVE-2021-44906 · GitHub Advisory Database · GitHub
    THIRD PARTY
    insufficient fix for prototype pollution in setKey() CVE-2021-44906 · Issue #164 · substack/minimist · GitHub
    minimist/index.js at master · substack/minimist · GitHub
    javascript - Adding custom properties to a function - Stack Overflow
    JavaScript-vulnerability-detection/minimist PoC.zip at main · Marynk/JavaScript-vulnerability-detection · GitHub
    don't assign onto proto · substack/minimist@63e7ed0 · GitHub
    even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE


          Fix CVE–2021–44906

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment