PT-2023-20517 · Unknown · Underscore-Keypath

Peng Zhou

Publicado

2023-08-01

Atualizado

2023-08-04

CVE-2023-26139

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions underscore-keypath versions 0.0.11 and later

Description The issue arises from improper input sanitization in the setProperty() function, allowing the usage of arguments like proto and leading to Prototype Pollution. This can be exploited due to the lack of proper input validation.

Recommendations For versions 0.0.11 and later, consider disabling the setProperty() function until a patch is available to prevent exploitation. Restrict the use of the name argument in the setProperty() function to minimize the risk of Prototype Pollution. Avoid using arguments like proto in the setProperty() function until the issue is resolved.

Correção

Prototype Pollution

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1321

Identificadores relacionados

CVE-2023-26139

GHSA-GPVC-MX6G-CCHV

Produtos afetados

Underscore-Keypath

PT-2023-20517 · Unknown · Underscore-Keypath

CVE-2023-26139

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8