Description

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Remediation

References

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373

https://snyk.io/vuln/SNYK-JS-MOUT-1014544

https://github.com/mout/mout/blob/master/src/object/deepMixIn.js

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374

https://github.com/mout/mout/blob/master/src/object/deepFillIn.js

Related Vulnerabilities

CVE-2020-15366 Vulnerability in maven package org.webjars.bowergithub.epoberezkin:ajv

CVE-2023-25767 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials

CVE-2023-29215 Vulnerability in maven package org.apache.linkis:linkis-metadata-query-service-jdbc

CVE-2023-27480 Vulnerability in maven package org.xwiki.platform:xwiki-platform-xar-model

CVE-2017-1000042 Vulnerability in maven package org.webjars.npm:mapbox.js

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Exploit Third Party Advisory