Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wOTJ4LXIzNnctOTM5Nc0Vjg
Type confusion in mpath
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wOTJ4LXIzNnctOTM5Nc0Vjg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 5 months ago
CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-p92x-r36w-9395, CVE-2021-23438
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23438
- https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
- https://github.com/mongoosejs/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://github.com/advisories/GHSA-p92x-r36w-9395
Blast Radius: 32.6
Affected Packages
npm:mpath
Dependent packages: 107Dependent repositories: 668,928
Downloads: 9,365,625 last month
Affected Version Ranges: < 0.8.4
Fixed in: 0.8.4
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3
All unaffected versions: 0.8.4, 0.9.0