Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00YzJnLWh4NDktN2gyNc4AA4oQ
Prototype pollution not blocked by object-path related utilities in hoolock
Impact
Utility functions related to object paths (get, set and update) did not block attempts to access or alter object prototypes.
Patches
The get, set and update functions will throw a TypeError when a user attempts to access or alter inherited properties in versions >=2.2.1.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00YzJnLWh4NDktN2gyNc4AA4oQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 20 days ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Identifiers: GHSA-4c2g-hx49-7h25, CVE-2024-23339
References:
- https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25
- https://nvd.nist.gov/vuln/detail/CVE-2024-23339
- https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982
- https://github.com/advisories/GHSA-4c2g-hx49-7h25
Blast Radius: 1.0
Affected Packages
npm:hoolock
Dependent packages: 0Dependent repositories: 0
Downloads: 82 last month
Affected Version Ranges: >= 2.0.0, < 2.2.1
Fixed in: 2.2.1
All affected versions: 2.0.0, 2.1.0, 2.2.0
All unaffected versions: 0.0.0, 1.0.0, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 2.2.1