Skip to content
This repository has been archived by the owner on Feb 18, 2022. It is now read-only.

Security Alert - Package: object-path; Severity: HIGH #804

Open
phenggeler opened this issue Jan 25, 2022 · 1 comment
Open

Security Alert - Package: object-path; Severity: HIGH #804

phenggeler opened this issue Jan 25, 2022 · 1 comment

Comments

@phenggeler
Copy link

phenggeler commented Jan 25, 2022
edited
Loading 

    Affected package: object-path
    Ecosystem: NPM
    Affected version range: < 0.11.6

    Summary: Prototype Pollution in object-path
    Description: This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-v39p-96qg-c8rf'}, {'type': 'CVE', 'value': 'CVE-2021-23434'}]

    Fixed Version: 0.11.6
    Created Date = January 25, 2022

    

    ---
    
    Affected package: object-path
    Ecosystem: NPM
    Affected version range: < 0.11.8

    Summary: Prototype Pollution in object-path
    Description: object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-8v63-cqqc-6r2c'}, {'type': 'CVE', 'value': 'CVE-2021-3805'}]

    Fixed Version: 0.11.8
    Created Date = January 25, 2022

    

    ---
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Catacola @phenggeler