PT-2018-16172 · Node · Merge-Recursive

Holyvier

Publicado

2018-07-03

Atualizado

2018-09-18

CVE-2018-3751

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions merge-recursive versions <= 0.3.0

Description The issue allows an attacker to modify the prototype of Object, enabling the addition or modification of existing properties that will exist on all objects. This can occur when the attacker controls part of the structure passed to the utilities function in the merge-recursive node module. The vulnerability can be exploited when malicious user input is merged with another object, allowing the attacker to modify the prototype of Object via proto.

Recommendations For merge-recursive versions <= 0.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2018-3751

GHSA-CVXM-F295-X957

Produtos afetados

Merge-Recursive

PT-2018-16172 · Node · Merge-Recursive

CVE-2018-3751

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6