Bug 2004944 (CVE-2021-23440) - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747
Summary: CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747
Keywords:
Status: NEW
Alias: CVE-2021-23440
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2004945 2012071 2012072 2012074 2012075 2012080 2013239 2016080 2006743 2012073 2012076 2012077 2012078 2012079 2012081 2013240 2013241
Blocks: 2004947
TreeView+ depends on / blocked
 
Reported: 2021-09-16 13:35 UTC by Marian Rehak
Modified: 2021-10-20 18:19 UTC (History)
27 users (show)

Fixed In Version: set-value 4.0.1
Doc Type: If docs needed, set a value
Doc Text:
A type confusion vulnerability in nodejs-set-value can lead to a bypass of CVE-2019-10747. If the user-provided keys used in the path parameter are arrays, the function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. This vulnerability can impact data confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2021-09-16 13:35:03 UTC
A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

External Reference:

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212

Comment 1 Marian Rehak 2021-09-16 13:35:18 UTC
Created nodejs-set-value tracking bugs for this issue:

Affects: fedora-33 [bug 2004945]

Comment 2 Przemyslaw Roguski 2021-09-17 07:46:37 UTC
Downgrading the impact to Moderate, as this not qualify for Important severity Red Hat rating.


Note You need to log in before you can comment on or make changes to this bug.