You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
set-value@2.0.1 was released in 2019 while this fix was a 2021 change. However, jonschlinkert/set-value@2.0.0...jonschlinkert:set-value:2.0.1 indicates some validation is happening. Empowered by the research from Snyk, I believe this is not an issue on 2.0.1.
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Library - set-value-2.0.1.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz
Dependency Hierarchy:
Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371
Found in base branch: main
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-12
Fix Resolution: set-value - 4.0.1
The text was updated successfully, but these errors were encountered: