Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2021–44906 #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CVE–2021–44906 #9

wants to merge 1 commit into from

Conversation

debricked[bot]
Copy link

@debricked debricked bot commented May 24, 2022
edited by debricked-staging bot

CVE–2021–44906

Vulnerability details

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

NVD

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

GitHub

Prototype Pollution in minimist

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
References

    Prototype Pollution in minimist · CVE-2021-44906 · GitHub Advisory Database · GitHub
    NVD - CVE-2021-44906
    insufficient fix for prototype pollution in setKey() CVE-2021-44906 · Issue #164 · substack/minimist · GitHub
    minimist/index.js at master · substack/minimist · GitHub
    javascript - Adding custom properties to a function - Stack Overflow
    JavaScript-vulnerability-detection/minimist PoC.zip at main · Marynk/JavaScript-vulnerability-detection · GitHub
    don't assign onto proto · substack/minimist@63e7ed0 · GitHub
    even more aggressive checks for protocol pollution · substack/minimist@38a4d1c · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@debricked debricked bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch from 1d12b77 to 031da8e Compare September 12, 2022 19:48
@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch 2 times, most recently from 866e5ee to af5aee9 Compare September 13, 2022 05:58
@debricked debricked bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch from af5aee9 to 62388f1 Compare September 13, 2022 05:59
@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch from 62388f1 to 75e834b Compare September 23, 2022 10:14
@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch 6 times, most recently from 6ad4242 to e09023d Compare November 9, 2022 18:16
@debricked-staging debricked-staging bot changed the title Fix CVE–2021–44906 Fix vulnerabilities Nov 9, 2022
@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch 2 times, most recently from 55eb446 to aadf72e Compare November 9, 2022 18:36
@debricked-staging debricked-staging bot changed the title Fix vulnerabilities Fix CVE–2021–44906 Jan 3, 2023
@debricked-staging debricked-staging bot force-pushed the debricked-fix-CVE_2021_44906-9383629b7fa077ce branch from aadf72e to 166a247 Compare January 3, 2023 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants