Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRnODgtZnBwci01M3Bw

Prototype Pollution in set-value

Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

If you are using set-value 3.x, upgrade to version 3.0.1 or later.
If you are using set-value 2.x, upgrade to version 2.0.1 or later.

Permalink: https://github.com/advisories/GHSA-4g88-fppr-53pp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRnODgtZnBwci01M3Bw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: about 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00552
EPSS Percentile: 0.7782

Identifiers: GHSA-4g88-fppr-53pp, CVE-2019-10747
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10747
• https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
• https://www.npmjs.com/advisories/1012
• https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E
• https://lists.fedoraproject.org/archives/list/[email protected]/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/
• https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f
• https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad
• https://github.com/advisories/GHSA-4g88-fppr-53pp

Repository: https://github.com/jonschlinkert/set-value
Blast Radius: 64.5

Affected Packages