Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution vulnerability #738

Closed
romain-guillot-symphony opened this issue Jan 19, 2021 · 3 comments
Closed

Prototype Pollution vulnerability #738

romain-guillot-symphony opened this issue Jan 19, 2021 · 3 comments

Comments

@romain-guillot-symphony
Copy link

romain-guillot-symphony commented Jan 19, 2021
edited

🐛 Bug Report

A Prototype Pollution vulnerability has been raised by Snyk and it is affecting all versions of immer.
The vulnerability seems to be on the following line
Find more details here

Environment

All immer versions
mweststrate added a commit that referenced this issue Jan 20, 2021
@mweststrate
fix: Fixed security issue #738 when applying patches
ef8fefa 
Details: SNYK-JS-IMMER-1019369 / CVE-2020-28477
https://snyk.io/vuln/SNYK-JS-IMMER-1019369
mweststrate added a commit that referenced this issue Jan 20, 2021
@mweststrate
fix: Fixed security issue #738 when applying patchesDetails: SNYK-JS-…
b621bc6 
…IMMER-1019369 / CVE-2020-28477https://snyk.io/vuln/SNYK-JS-IMMER-1019369
mweststrate added a commit that referenced this issue Jan 20, 2021
@mweststrate
fix: Fixed security issue #738 when applying patchesDetails: SNYK-JS-…
e649bd7 
…IMMER-1019369 / CVE-2020-28477https://snyk.io/vuln/SNYK-JS-IMMER-1019369
mweststrate added a commit that referenced this issue Jan 20, 2021
@mweststrate
fix: Fixed security issue #738: prototype pollution possible when app…
da2bd4f 
…lying patches CVE-2020-28477

See: CVE-2020-28477 / SNYK-JS-IMMER-1019369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28477
https://snyk.io/vuln/SNYK-JS-IMMER-1019369
@mweststrate
Copy link
Collaborator

Solved and released in 8.0.1

@dimaqq
Copy link

dimaqq commented Jan 21, 2021

Were only applyPatches affected, or regular, recommended use of immer too, transitively affected?
(just wondering how urgent it is to push new version of depending software into production)

@mweststrate
Copy link
Collaborator

mweststrate commented Jan 21, 2021 via email

@emanuelef emanuelef mentioned this issue Jan 25, 2021
Closed
@twekel twekel mentioned this issue Feb 1, 2021
Closed
This was referenced Mar 7, 2021
Merged
Closed
Closed
Closed
Merged
Merged
Closed
Merged
Merged
Closed
Closed
Closed
Open
Merged
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Mar 14, 2021
Open
Closed
Closed
Merged
Closed
Closed
Open
Closed
Closed
Open
Merged
Merged
Open
Merged
Merged
Closed
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Closed
@meatflavourdev meatflavourdev mentioned this issue Apr 12, 2021
Closed
ericsuh pushed a commit to descriptinc/immer that referenced this issue May 25, 2021
@mweststrate @esuh-descript
Cherry-pick of da2bd4f
e726c3f 
fix: Fixed security issue immerjs#738: prototype pollution possible when applying patches CVE-2020-28477

See: CVE-2020-28477 / SNYK-JS-IMMER-1019369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28477
https://snyk.io/vuln/SNYK-JS-IMMER-1019369
@Abdul1110 Abdul1110 mentioned this issue May 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dimaqq @mweststrate @romain-guillot-symphony