Vulnerability-Lookup

CVE-2021-29491 (GCVE-0-2021-29491)

Vulnerability from cvelistv5 – Published: 2021-05-06 12:51 – Updated: 2022-03-14 20:10

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2022-03-14T20:10:08",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29491",
    "datePublished": "2021-05-06T12:51:37",
    "dateRejected": "2022-03-14T20:10:08",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2022-03-14T20:10:08",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.0",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-29491\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-05-06T13:15:12.533\",\"lastModified\":\"2023-11-07T03:32:38.597\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage\"}],\"metrics\":{},\"references\":[]}}"
  }
}

FKIE_CVE-2021-29491

Vulnerability from fkie_nvd - Published: 2021-05-06 13:15 - Updated: 2023-11-07 03:32

Severity ?

Summary

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage"
    }
  ],
  "id": "CVE-2021-29491",
  "lastModified": "2023-11-07T03:32:38.597",
  "metrics": {},
  "published": "2021-05-06T13:15:12.533",
  "references": [],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Rejected"
}

GHSA-79JW-6WG7-R9G4

Vulnerability from github – Published: 2021-05-06 15:45 – Updated: 2021-05-07 21:13

Summary

Use of Potentially Dangerous Function in mixme

Details

Impact

In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

Patches

The problem is corrected starting with version 0.5.1.

References

Issue: https://github.com/adaltas/node-mixme/issues/1 Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mixme"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:39:38Z",
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn Node.js mixme v0.5.0, an attacker can add or alter properties of an object via \u0027proto\u0027 through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).\n\n### Patches\nThe problem is corrected starting with version 0.5.1.\n\n### References\nIssue: https://github.com/adaltas/node-mixme/issues/1\nCommit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028\n\n",
  "id": "GHSA-79jw-6wg7-r9g4",
  "modified": "2021-05-07T21:13:59Z",
  "published": "2021-05-06T15:45:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29491"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210622-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Potentially Dangerous Function in mixme"
}

GSD-2021-29491

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Aliases

CVE-2021-29491

Aliases

CVE-2021-29491

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-29491",
    "description": "Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via \u0027proto\u0027 through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS). The problem is corrected starting with version 0.5.1; no workarounds are known to exist.",
    "id": "GSD-2021-29491"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-29491"
      ],
      "details": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.",
      "id": "GSD-2021-29491",
      "modified": "2023-12-13T01:23:36.967566Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-29491",
        "STATE": "REJECT"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-28860. Reason: This candidate is a reservation duplicate of CVE-2021-28860. Notes: All CVE users should reference CVE-2021-28860 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.5.1",
          "affected_versions": "All versions before 0.5.1",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-913",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Mixme is a library for recursive merging of Javascript objects. In Node.js mixme, an attacker can add or alter properties of an object via `proto` through the `mutate()` and `merge()` functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).",
          "fixed_versions": [
            "0.5.1"
          ],
          "identifier": "CVE-2021-29491",
          "identifiers": [
            "CVE-2021-29491",
            "GHSA-79jw-6wg7-r9g4"
          ],
          "not_impacted": "All versions starting from 0.5.1",
          "package_slug": "npm/mixme",
          "pubdate": "2021-05-06",
          "solution": "Upgrade to version 0.5.1 or above.",
          "title": "Improper Control of Dynamically-Managed Code Resources",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29491"
          ],
          "uuid": "96449f8d-66ac-407b-b9d8-a3a6a2c0d475"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mixme_project:mixme:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.5.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29491"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via \u0027proto\u0027 through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS). The problem is corrected starting with version 0.5.1; no workarounds are known to exist."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-913"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210622-0002/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210622-0002/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 4.2
        }
      },
      "lastModifiedDate": "2021-12-03T19:47Z",
      "publishedDate": "2021-05-06T13:15Z"
    }
  }
}

CNVD-2021-47389

Vulnerability from cnvd - Published: 2021-07-05

Title

Npm mixme存在拒绝服务漏洞

Description

Npm mixme是美国Npm公司的一个应用软件。用于递归合并多个对象。最后一个对象优先于先前的对象。 Npm mixme v0.5.0版本存在安全漏洞，攻击者利用该漏洞可以添加或修改对象的属性，这将导致潜在的拒绝服务(DoS)。

Severity

中

Patch Name

Npm mixme存在拒绝服务漏洞的补丁

Patch Description

Npm mixme是美国Npm公司的一个应用软件。用于递归合并多个对象。最后一个对象优先于先前的对象。 Npm mixme v0.5.0版本存在安全漏洞，攻击者利用该漏洞可以添加或修改对象的属性，这将导致潜在的拒绝服务(DoS)。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4

Reference

https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4

Impacted products

Name
npm mixme 0.5.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-29491",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-29491"
    }
  },
  "description": "Npm mixme\u662f\u7f8e\u56fdNpm\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u7528\u4e8e\u9012\u5f52\u5408\u5e76\u591a\u4e2a\u5bf9\u8c61\u3002\u6700\u540e\u4e00\u4e2a\u5bf9\u8c61\u4f18\u5148\u4e8e\u5148\u524d\u7684\u5bf9\u8c61\u3002\n\nNpm mixme v0.5.0\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u6dfb\u52a0\u6216\u4fee\u6539\u5bf9\u8c61\u7684\u5c5e\u6027\uff0c\u8fd9\u5c06\u5bfc\u81f4\u6f5c\u5728\u7684\u62d2\u7edd\u670d\u52a1(DoS)\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-47389",
  "openTime": "2021-07-05",
  "patchDescription": "Npm mixme\u662f\u7f8e\u56fdNpm\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u7528\u4e8e\u9012\u5f52\u5408\u5e76\u591a\u4e2a\u5bf9\u8c61\u3002\u6700\u540e\u4e00\u4e2a\u5bf9\u8c61\u4f18\u5148\u4e8e\u5148\u524d\u7684\u5bf9\u8c61\u3002\r\n\r\nNpm mixme v0.5.0\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u6dfb\u52a0\u6216\u4fee\u6539\u5bf9\u8c61\u7684\u5c5e\u6027\uff0c\u8fd9\u5c06\u5bfc\u81f4\u6f5c\u5728\u7684\u62d2\u7edd\u670d\u52a1(DoS)\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Npm mixme\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "npm mixme 0.5.0"
  },
  "referenceLink": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-24",
  "title": "Npm mixme\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-29491 (GCVE-0-2021-29491)

FKIE_CVE-2021-29491

GHSA-79JW-6WG7-R9G4

Impact

Patches

References

GSD-2021-29491

CNVD-2021-47389

Tags

Sightings

Nomenclature