Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJycW0tcDIyMi04cGgy
Prototype Pollution in Dynamoose
Impact
In Dynamoose versions 2.0.0-2.6.0 there was a prototype pollution vulnerability in the internal utility method lib/utils/object/set.ts
. This method is used throughout the codebase for various operations throughout Dynamoose.
We have not seen any evidence of this vulnerability being exploited.
We do not believe this issue impacts v1.x.x since this method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions.
Patches
v2.7.0 includes a patch for this vulnerability.
Workarounds
We are unaware of any workarounds to patch this vulnerability other than upgrading to v2.7.0 or greater.
References
- Patch commit hash: 324c62b4709204955931a187362f8999805b1d8e
For more information
If you have any questions or comments about this advisory:
Credit
- GitHub CodeQL Code Scanning
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJycW0tcDIyMi04cGgy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-rrqm-p222-8ph2, CVE-2021-21304
References:
- https://github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2
- https://github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e
- https://github.com/dynamoose/dynamoose/releases/tag/v2.7.0
- https://www.npmjs.com/package/dynamoose
- https://nvd.nist.gov/vuln/detail/CVE-2021-21304
- https://github.com/advisories/GHSA-rrqm-p222-8ph2
Blast Radius: 19.9
Affected Packages
npm:dynamoose
Dependent packages: 96Dependent repositories: 589
Downloads: 415,373 last month
Affected Version Ranges: >= 2.0.0, < 2.7.0
Fixed in: 2.7.0
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.6.0
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.5, 0.8.6, 0.8.7, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 4.0.0, 4.0.1