Giters

lukeed / dset

A tiny (197B) utility for safely writing deep Object values~!

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vulnerability version 3.1.3

dcardonac31 opened this issue · comments

commented

Identifiers
pkg:npm/dset@3.1.3 (Confidence:Highest)
cpe:2.3:a:dset_project:dset:3.1.3:::::::* (Confidence:Highest)
Published Vulnerabilities
CVE-2022-25645

All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
MISC - https://github.com/lukeed/dset/blob/master/src/merge.js%23L9
MISC - #38
MISC - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
MISC - https://snyk.io/vuln/SNYK-JS-DSET-2330881
Vulnerable Software & Versions:

cpe:2.3:a:dset_project:dset::::::node.js::*

Identifiers
pkg:npm/dset@3.1.3 (Confidence:Highest)
cpe:2.3:a:dset_project:dset:3.1.3:::::::* (Confidence:Highest)
Published Vulnerabilities
CVE-2022-25645

All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
MISC - https://github.com/lukeed/dset/blob/master/src/merge.js%23L9
MISC - #38
MISC - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
MISC - https://snyk.io/vuln/SNYK-JS-DSET-2330881
Vulnerable Software & Versions:

cpe:2.3:a:dset_project:dset::::::node.js::*

commented

This looks like a dependency-check report. DP relies on the NVD for its vulnerability. This specific CVE has not been updated and still flags (incorrectly) all the versions of the library.

Unfortunately the NVD have been maintaned less promptly, lately:
https://blog.meterian.com/2024/04/08/nvd-update-delays-whats-happening-at-the-national-vulnerability-database/