CVE-2023-45827

EPSS 8.4%
Veröffentlicht 06.11.2023 18:15:08
Zuletzt bearbeitet 21.11.2024 08:27:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Clickbar ≫ Dot-diver SwPlatformnode.js Version < 1.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.4%	0.92

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a

Patch

https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-45827

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45827

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45827

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-45827