Closed renovate[bot] closed 2 weeks ago
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|
npm/object-path@0.11.8 | None | 0 |
60.9 kB | mariocasciaro |
🚮 Removed packages: npm/object-path@0.11.5
This PR contains the following updates:
0.11.5
->0.11.8
Prototype Pollution in object-path
CVE-2021-23434 / GHSA-v39p-96qg-c8rf / SNYK-JAVA-ORGWEBJARSNPM-1570423 / SNYK-JS-OBJECTPATH-1569453
More information
#### Details This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition `currentPath === '__proto__'` returns false if `currentPath` is `['__proto__']`. This is because the `===` operator returns always false when the type of the operands is different. #### Severity - CVSS Score: 5.6 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-23434](https://nvd.nist.gov/vuln/detail/CVE-2021-23434) - [https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb](https://togithub.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb) - [https://github.com/mariocasciaro/object-path](https://togithub.com/mariocasciaro/object-path) - [https://github.com/mariocasciaro/object-path#0116](https://togithub.com/mariocasciaro/object-path#0116) - [https://github.com/mariocasciaro/object-path%230116](https://togithub.com/mariocasciaro/object-path%230116) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html) - [https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423](https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423) - [https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453](https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-v39p-96qg-c8rf) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Prototype Pollution in object-path
CVE-2021-3805 / GHSA-8v63-cqqc-6r2c
More information
#### Details object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-3805](https://nvd.nist.gov/vuln/detail/CVE-2021-3805) - [https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884](https://togithub.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884) - [https://github.com/mariocasciaro/object-path](https://togithub.com/mariocasciaro/object-path) - [https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053](https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053) - [https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html](https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8v63-cqqc-6r2c) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
mariocasciaro/object-path (object-path)
### [`v0.11.8`](https://togithub.com/mariocasciaro/object-path/compare/v0.11.7...v0.11.8) [Compare Source](https://togithub.com/mariocasciaro/object-path/compare/v0.11.7...v0.11.8) ### [`v0.11.7`](https://togithub.com/mariocasciaro/object-path/compare/v0.11.6...v0.11.7) [Compare Source](https://togithub.com/mariocasciaro/object-path/compare/v0.11.6...v0.11.7) ### [`v0.11.6`](https://togithub.com/mariocasciaro/object-path/compare/63324602658f0860a25bde311b0087625dfee439...v0.11.6) [Compare Source](https://togithub.com/mariocasciaro/object-path/compare/63324602658f0860a25bde311b0087625dfee439...v0.11.6)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.