Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWN4bTMtMjg0cC1xYzR2
Prototype Pollution in sds
Affected versions of sds
are vulnerable to prototype pollution. The set
function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
Upgrade to version 4.0.0 or later
Permalink: https://github.com/advisories/GHSA-cxm3-284p-qc4vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWN4bTMtMjg0cC1xYzR2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-cxm3-284p-qc4v, CVE-2020-7618
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7618
- https://github.com/monsterkodi/sds/blob/master/js/set.js#L31
- https://snyk.io/vuln/SNYK-JS-SDS-564123
- https://www.npmjs.com/advisories/1506
- https://github.com/advisories/GHSA-cxm3-284p-qc4v
Blast Radius: 1.6
Affected Packages
npm:sds
Dependent packages: 8Dependent repositories: 2
Downloads: 115 last month
Affected Version Ranges: < 4.0.0
Fixed in: 4.0.0
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.12, 1.2.13, 1.2.17, 1.2.20, 1.2.22, 1.3.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.21, 1.4.22, 1.4.23, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.1, 1.9.0, 1.9.1, 1.11.0, 1.12.0, 1.14.0, 1.14.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0
All unaffected versions: 4.0.0, 4.1.1, 4.2.0, 4.3.0, 4.4.0