Fix CVE–2021–23440

[debricked-staging]

CVE–2021–23440

Vulnerable dependency:     set-value (npm)    2.0.0    0.4.3

Vulnerability details

Description

Access of Resource Using Incompatible Type ('Type Confusion')

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

NVD

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

GitHub

Prototype Pollution in set-value

This affects the package set-value before 2.0.1, and starting with 3.0.0 but prior to 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Prototype Pollution in set-value · CVE-2021-23440 · GitHub Advisory Database · GitHub
    NVD - CVE-2021-23440
    Prototype Pollution vulnerability found in set-value
    Security Fix for Prototype Pollution by ready-research · Pull Request #33 · jonschlinkert/set-value · GitHub
    4.0.1 · jonschlinkert/set-value@7cf8073 · GitHub
    Comparing jonschlinkert:HEAD...ready-research:ready-research-Prototype-Pollution · jonschlinkert/set-value · GitHub
    GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
    Oracle Critical Patch Update Advisory - January 2022

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE