Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBjNTgtd2dtYy1oZmpy
Prototype Pollution in mout
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.
Permalink: https://github.com/advisories/GHSA-pc58-wgmc-hfjrJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBjNTgtd2dtYy1oZmpy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-pc58-wgmc-hfjr, CVE-2020-7792
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7792
- https://snyk.io/vuln/SNYK-JS-MOUT-1014544
- https://github.com/mout/mout/commit/3fecf1333e6d71ae72edf48c71dc665e40df7605
- https://github.com/mout/mout/blob/master/src/object/deepFillIn.js
- https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373
- https://github.com/advisories/GHSA-pc58-wgmc-hfjr
Blast Radius: 34.9
Affected Packages
npm:mout
Dependent packages: 420Dependent repositories: 45,303
Downloads: 1,484,769 last month
Affected Version Ranges: < 1.2.3
Fixed in: 1.2.3
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2
All unaffected versions: 1.2.3, 1.2.4