9.8
CVE-2022-24802
- EPSS 1.61%
- Veröffentlicht 01.04.2022 00:15:08
- Zuletzt bearbeitet 21.11.2024 06:51:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPrototype Pollution in deepmerge-ts
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Deepmerge-ts Project ≫ Deepmerge-ts Version < 4.0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.61% | 0.728 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| security-advisories@github.com | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
https://github.com/RebeccaStevens/deepmerge-ts/commit/b39f1a93d9e1c3541bd2fe159fd696a16dbe1c72
https://github.com/RebeccaStevens/deepmerge-ts/commit/d637db7e4fb2bfb113cb4bc1c85a125936d7081b
https://github.com/RebeccaStevens/deepmerge-ts/security/advisories/GHSA-r9w3-g83q-m6hq