Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.

Remediation

References

https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714

https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252

Related Vulnerabilities

CVE-2019-11808 Vulnerability in maven package io.ratpack:ratpack-session

CVE-2021-33360 Vulnerability in npm package @stoqey/gnuplot

CVE-2019-13000 Vulnerability in maven package fr.acinq.eclair:eclair-core_2.11

CVE-2019-9155 Vulnerability in maven package org.webjars.npm:openpgp

CVE-2017-12648 Vulnerability in maven package com.liferay:com.liferay.frontend.taglib

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory