Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.

Remediation

References

https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252

https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714

Related Vulnerabilities

CVE-2017-16145 Vulnerability in npm package sspa

CVE-2019-1003078 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2020-28469 Vulnerability in maven package org.webjars.bowergithub.es128:glob-parent

CVE-2019-12402 Vulnerability in maven package org.apache.commons:commons-compress

CVE-2016-10528 Vulnerability in npm package restafary

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory