Search criteria
2 vulnerabilities by adaltas
CVE-2021-28860 (GCVE-0-2021-28860)
Vulnerability from cvelistv5 – Published: 2021-05-03 11:48 – Updated: 2024-08-03 21:55
VLAI?
Summary
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://nodejs.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/~david"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adaltas/node-mixme/issues/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210618-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via \u0027__proto__\u0027 through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-18T09:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://nodejs.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/~david"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adaltas/node-mixme/issues/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210618-0005/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28860",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via \u0027__proto__\u0027 through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://nodejs.com",
"refsource": "MISC",
"url": "http://nodejs.com"
},
{
"name": "https://www.npmjs.com/~david",
"refsource": "MISC",
"url": "https://www.npmjs.com/~david"
},
{
"name": "https://github.com/adaltas/node-mixme/issues/1",
"refsource": "MISC",
"url": "https://github.com/adaltas/node-mixme/issues/1"
},
{
"name": "https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028",
"refsource": "MISC",
"url": "https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028"
},
{
"name": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4",
"refsource": "MISC",
"url": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210618-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210618-0005/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28860",
"datePublished": "2021-05-03T11:48:33",
"dateReserved": "2021-03-19T00:00:00",
"dateUpdated": "2024-08-03T21:55:11.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23354 (GCVE-0-2021-23354)
Vulnerability from cvelistv5 – Published: 2021-03-12 15:10 – Updated: 2024-09-17 03:32
VLAI?
Title
Regular Expression Denial of Service (ReDoS)
Summary
The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.
Severity ?
5.3 (Medium)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Yeting Li
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-PRINTF-1072096"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adaltas/node-printf/pull/32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/adaltas/node-printf/issues/31"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "printf",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Yeting Li"
}
],
"datePublic": "2021-03-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\\%(?:\\(([\\w_.]+)\\)|([1-9]\\d*)\\$)?([0 +\\-\\]*)(\\*|\\d+)?(\\.)?(\\*|\\d+)?[hlL]?([\\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-12T15:10:15",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-PRINTF-1072096"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adaltas/node-printf/pull/32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/adaltas/node-printf/issues/31"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-03-12T15:08:10.668042Z",
"ID": "CVE-2021-23354",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "printf",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.6.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Yeting Li"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\\%(?:\\(([\\w_.]+)\\)|([1-9]\\d*)\\$)?([0 +\\-\\]*)(\\*|\\d+)?(\\.)?(\\*|\\d+)?[hlL]?([\\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-PRINTF-1072096",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-PRINTF-1072096"
},
{
"name": "https://github.com/adaltas/node-printf/pull/32",
"refsource": "MISC",
"url": "https://github.com/adaltas/node-printf/pull/32"
},
{
"name": "https://github.com/adaltas/node-printf/issues/31",
"refsource": "MISC",
"url": "https://github.com/adaltas/node-printf/issues/31"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23354",
"datePublished": "2021-03-12T15:10:16.014140Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-17T03:32:43.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}