search

lukeed / dset

A tiny (197B) utility for safely writing deep Object values~!
MIT License
759 stars 25 forks source link

Vulnerability version 3.1.3 #44

Open dcardonac31 opened 10 months ago

dcardonac31 commented 10 months ago

Identifiers pkg:npm/dset@3.1.3 (Confidence:Highest) cpe:2.3:a:dset_project:dset:3.1.3:::::::* (Confidence:Highest) Published Vulnerabilities CVE-2022-25645

All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVSSv2: Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3: Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References: MISC - https://github.com/lukeed/dset/blob/master/src/merge.js%23L9 MISC - https://github.com/lukeed/dset/pull/38 MISC - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974 MISC - https://snyk.io/vuln/SNYK-JS-DSET-2330881 Vulnerable Software & Versions:

cpe:2.3:a:dset_project:dset::::::node.js::*

Identifiers pkg:npm/dset@3.1.3 (Confidence:Highest) cpe:2.3:a:dset_project:dset:3.1.3:::::::* (Confidence:Highest) Published Vulnerabilities CVE-2022-25645

All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVSSv2: Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3: Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References: MISC - https://github.com/lukeed/dset/blob/master/src/merge.js%23L9 MISC - https://github.com/lukeed/dset/pull/38 MISC - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974 MISC - https://snyk.io/vuln/SNYK-JS-DSET-2330881 Vulnerable Software & Versions:

cpe:2.3:a:dset_project:dset::::::node.js::*

bbossola commented 4 months ago

This looks like a dependency-check report. DP relies on the NVD for its vulnerability. This specific CVE has not been updated and still flags (incorrectly) all the versions of the library.

Unfortunately the NVD have been maintaned less promptly, lately: https://blog.meterian.com/2024/04/08/nvd-update-delays-whats-happening-at-the-national-vulnerability-database/