PT-2019-12025 · Deeply · Deeply

Publicado

2019-08-23

Atualizado

2019-10-08

CVE-2019-10750

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions deeply versions prior to 3.1.0 deeply versions prior to 1.0.1

Description The issue concerns Prototype Pollution. The assign-deep function in deeply can be tricked into adding or modifying properties of Object.prototype using a proto payload. This is due to the package's failure to validate which Object properties it updates, allowing attackers to modify the prototype of Object. This can cause the addition or modification of an existing property on all objects.

Recommendations For versions prior to 1.0.1, upgrade to version 3.1.0 or later. For versions prior to 3.1.0, upgrade to version 3.1.0 or later.

Exploit

Correção

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400

Identificadores relacionados

CVE-2019-10750

GHSA-8J4W-5FW4-RM27

SNYK-JS-DEEPLY-451026

Produtos afetados

Deeply

PT-2019-12025 · Deeply · Deeply

CVE-2019-10750

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5