Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZod2gtcnF3Zi1jeHhy

Moderate EPSS: 0.00329% (0.55229 Percentile) EPSS:
Permalink JSON

Improperly Controlled Modification of Dynamically-Determined Object Attributes in vega-util

Affected Packages Affected Versions Fixed Versions
npm:vega-util < 1.13.1 1.13.1
62 Dependent packages
2,664 Dependent repositories
1,368,718 Downloads last month

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.13.0

All unaffected versions

1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 2.0.0

vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype.

References:

Identifiers

GHSA-6hwh-rqwf-cxxr

CVE-2019-10806

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00329

EPSS Percentile: 0.55229

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/vega/vega

Date and time

Published

about 4 years ago

Updated

over 2 years ago

API

JSON