Description

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Remediation

References

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373

https://snyk.io/vuln/SNYK-JS-MOUT-1014544

https://github.com/mout/mout/blob/master/src/object/deepMixIn.js

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374

https://github.com/mout/mout/blob/master/src/object/deepFillIn.js

Related Vulnerabilities

CVE-2020-13934 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2020-28438 Vulnerability in npm package deferred-exec

CVE-2023-3224 Vulnerability in npm package nuxt

CVE-2023-22578 Vulnerability in npm package @sequelize/core

CVE-2022-3952 Vulnerability in maven package com.manydesigns:portofino-microservice-launcher

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Exploit Third Party Advisory