CVE-2020-15256
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Summary
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mariocasciaro | object-path | < 0.11.5 | affected |
Weaknesses
- CWE-471: {"CWE-471":"Modification of Assumed-Immutable Data (MAID)"}
- CWE-20: {"CWE-20":"Improper Input Validation"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
- https://github.com/mariocasciaro/object-path/commit/2be3354c6c46215c7635eb1b76d80f1319403c68
References
- https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
- https://github.com/mariocasciaro/object-path/commit/2be3354c6c46215c7635eb1b76d80f1319403c68
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.