CVE-2023-26139

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252	Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714	Third Party Advisory
https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252	Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:underscore-keypath_project:underscore-keypath:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2023-08-01 05:15

Updated : 2024-11-21 07:50

NVD link : CVE-2023-26139

Mitre link : CVE-2023-26139

CVE.ORG link : CVE-2023-26139

JSON object : View

Products Affected

underscore-keypath_project

underscore-keypath

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2023-26139", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-08-01T05:15:34.843", "references": [{"url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-1321"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like \u201c__proto__\u201d."}], "lastModified": "2024-11-21T07:50:51.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:underscore-keypath_project:underscore-keypath:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B17E46B6-092D-4BEA-A68C-820C63230F25", "versionStartIncluding": "0.0.11"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}