PT-2018-16174 · Node · Merge-Objects

Holyvier

Publicado

2018-07-03

Atualizado

2018-09-18

CVE-2018-3753

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions merge-objects node module versions <= 1.0.0

Description The utilities function in the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Recommendations For merge-objects node module versions <= 1.0.0, consider restricting the use of the utilities function until a patch is available, or ensure that the structure passed to this function is thoroughly validated to prevent manipulation by an attacker.

Exploit

Correção

Prototype Pollution

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1321CWE-20

Identificadores relacionados

CVE-2018-3753

GHSA-FP82-2H99-3FPP

Produtos afetados

Merge-Objects

PT-2018-16174 · Node · Merge-Objects

CVE-2018-3753

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4