Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NzZwLWM3N20teDJoY84AA9bu
Prototype pollution in ag-grid-community via the _.mergeDeep function
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. Prior versions were also found to be affected.
Permalink: https://github.com/advisories/GHSA-876p-c77m-x2hcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NzZwLWM3N20teDJoY84AA9bu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 months ago
Updated: 3 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-876p-c77m-x2hc, CVE-2024-38996
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-38996
- https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
- https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
- https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b
- https://github.com/ag-grid/ag-grid/pull/8290
- https://github.com/advisories/GHSA-876p-c77m-x2hc
Blast Radius: 36.4
Affected Packages
npm:ag-grid-community
Dependent packages: 766Dependent repositories: 5,156
Downloads: 2,929,720 last month
Affected Version Ranges: < 31.3.4
Fixed in: 31.3.4
All affected versions: 18.1.2, 19.0.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 20.0.0, 20.1.0, 20.2.0, 21.0.0, 21.0.1, 21.1.0, 21.1.1, 21.2.0, 21.2.1, 21.2.2, 22.0.0, 22.1.0, 22.1.1, 23.0.0, 23.0.1, 23.0.2, 23.1.0, 23.1.1, 23.2.0, 23.2.1, 24.0.0, 24.1.0, 25.0.0, 25.0.1, 25.1.0, 25.2.0, 25.2.1, 25.3.0, 26.0.0, 26.1.0, 26.2.0, 26.2.1, 27.0.0, 27.0.1, 27.1.0, 27.2.0, 27.2.1, 27.3.0, 28.0.0, 28.0.1, 28.0.2, 28.1.0, 28.1.1, 28.2.0, 28.2.1, 29.0.0, 29.1.0, 29.2.0, 29.3.0, 29.3.1, 29.3.2, 29.3.3, 29.3.4, 29.3.5, 30.0.0, 30.0.1, 30.0.2, 30.0.3, 30.0.5, 30.0.6, 30.1.0, 30.2.0, 30.2.1, 31.0.0, 31.0.1, 31.0.2, 31.0.3, 31.1.0, 31.1.1, 31.2.0, 31.2.1, 31.3.0, 31.3.1, 31.3.2
All unaffected versions: 31.3.4, 32.0.0, 32.0.1, 32.0.2, 32.1.0
npm:ag-grid-enterprise
Dependent packages: 306Dependent repositories: 922
Downloads: 1,470,245 last month
Affected Version Ranges: < 31.3.4
Fixed in: 31.3.4
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.4.2, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.2.0, 7.2.2, 7.2.3, 7.2.4, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 10.0.0, 10.0.1, 10.1.0, 11.0.0, 12.0.0, 12.0.1, 12.0.2, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.1.2, 13.2.0, 13.3.0, 13.3.1, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 14.2.0, 15.0.0, 16.0.0, 16.0.1, 17.0.0, 17.1.0, 17.1.1, 18.0.0, 18.0.1, 18.1.0, 18.1.1, 19.0.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 20.0.0, 20.1.0, 20.2.0, 21.0.0, 21.0.1, 21.1.0, 21.1.1, 21.2.0, 21.2.1, 21.2.2, 22.0.0, 22.1.0, 22.1.1, 23.0.0, 23.0.1, 23.0.2, 23.1.0, 23.1.1, 23.2.0, 23.2.1, 24.0.0, 24.1.0, 25.0.0, 25.0.1, 25.1.0, 25.2.0, 25.2.1, 25.3.0, 26.0.0, 26.0.1, 26.1.0, 26.2.0, 26.2.1, 27.0.0, 27.0.1, 27.1.0, 27.2.0, 27.2.1, 27.3.0, 28.0.0, 28.0.1, 28.0.2, 28.1.0, 28.1.1, 28.1.2, 28.1.3, 28.2.0, 28.2.1, 29.0.0, 29.1.0, 29.2.0, 29.3.0, 29.3.1, 29.3.2, 29.3.3, 29.3.4, 29.3.5, 30.0.0, 30.0.1, 30.0.2, 30.0.3, 30.0.5, 30.0.6, 30.1.0, 30.2.0, 30.2.1, 31.0.0, 31.0.1, 31.0.2, 31.0.3, 31.1.0, 31.1.1, 31.2.0, 31.2.1, 31.3.0, 31.3.1, 31.3.2
All unaffected versions: 31.3.4, 32.0.0, 32.0.1, 32.0.2, 32.1.0