Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wOTJ4LXIzNnctOTM5Nc0Vjg
Type confusion in mpath
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1
returns -1
if parts[i]
is ['__proto__']
. This is because the method that has been called if the input is an array is Array.prototype.indexOf()
and not String.prototype.indexOf()
. They behave differently depending on the type of the input.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wOTJ4LXIzNnctOTM5Nc0Vjg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 5 months ago
CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-p92x-r36w-9395, CVE-2021-23438
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23438
- https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548
- https://github.com/mongoosejs/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc
- https://github.com/advisories/GHSA-p92x-r36w-9395
Blast Radius: 32.6
Affected Packages
npm:mpath
Dependent packages: 107Dependent repositories: 668,928
Downloads: 9,365,625 last month
Affected Version Ranges: < 0.8.4
Fixed in: 0.8.4
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3
All unaffected versions: 0.8.4, 0.9.0