CVE-2022-31106
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Summary
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of underscore.deep prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to deepFromFlat, which would pollute any future Objects created. Any users that have deepFromFlat or deepPick (due to its dependency on deepFromFlat) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying deepFromFlat to prevent specific keywords which will prevent this from happening.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Clever | underscore.deep | < 0.5.3 | affected |
Weaknesses
- CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm
- https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm
- https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.