Search

Find a vulnerability

Search criteria

    2 vulnerabilities by underscore-keypath_project

    CVE-2023-26139 (GCVE-0-2023-26139)

    Vulnerability from nvd – Published: 2023-08-01 05:00 – Updated: 2024-10-17 18:59
    VLAI
    Summary
    Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a underscore-keypath Affected: 0.0.11 , < * (semver)
    Credits
    Peng Zhou Yuhan Gao
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:39:06.606Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-26139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:58:57.770521Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:59:07.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "underscore-keypath",
              "vendor": "n/a",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "affected",
                  "version": "0.0.11",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peng Zhou"
            },
            {
              "lang": "en",
              "value": "Yuhan Gao"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like \u201c__proto__\u201d."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Prototype Pollution",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-01T05:00:01.066Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714"
            },
            {
              "url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2023-26139",
        "datePublished": "2023-08-01T05:00:01.066Z",
        "dateReserved": "2023-02-20T10:28:48.926Z",
        "dateUpdated": "2024-10-17T18:59:07.871Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-26139 (GCVE-0-2023-26139)

    Vulnerability from cvelistv5 – Published: 2023-08-01 05:00 – Updated: 2024-10-17 18:59
    VLAI
    Summary
    Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a underscore-keypath Affected: 0.0.11 , < * (semver)
    Credits
    Peng Zhou Yuhan Gao
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:39:06.606Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-26139",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:58:57.770521Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:59:07.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "underscore-keypath",
              "vendor": "n/a",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "affected",
                  "version": "0.0.11",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Peng Zhou"
            },
            {
              "lang": "en",
              "value": "Yuhan Gao"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like \u201c__proto__\u201d."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Prototype Pollution",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-01T05:00:01.066Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714"
            },
            {
              "url": "https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2023-26139",
        "datePublished": "2023-08-01T05:00:01.066Z",
        "dateReserved": "2023-02-20T10:28:48.926Z",
        "dateUpdated": "2024-10-17T18:59:07.871Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }