Prototype Pollution in set-value #444
Labels
Auto Create Issues
Label for Auto Created Issues
Critical
This label for Security Severity only
do-not-autoclose
Make bot can't close an Issues or PRs
Security
Label for Security Issues
Milestone
Comments
TheKingTermux
added
do-not-autoclose
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
If you are using set-value 3.x, upgrade to version 3.0.1 or later.
If you are using set-value 2.x, upgrade to version 2.0.1 or later.
Severity Check
Severity Number
9.8 / 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses
WeaknessCWE-1321
CVE ID
CVE-2019-10747
GHSA ID
GHSA-4g88-fppr-53pp
Information
Package
set-value (npm)
Affected versions
< 2.0.1
Patched version
2.0.1
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10747
https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
https://www.npmjs.com/advisories/1012
https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/
jonschlinkert/set-value@95e9d99
jonschlinkert/set-value@cb12f14
The text was updated successfully, but these errors were encountered: