EIQ-2019-0032#
ID |
EIQ-2019-0032 |
|---|---|
CVE |
|
Description |
set-value enables prototype pollution |
Date |
04 Sep 2019 |
Severity |
4 - CRITICAL |
CVSSv3 score |
9.8 |
Status |
✅ 2.5.0 |
Assessment |
set-value versions 2.0.0 and earlier, and versions 3.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the set function: set fails to validate updated object properties. An attacker could add or modify object prototype properties of Modified properties are propagated to all objects through inheritance . An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack. Note This vulnerability is a false positive: this dependency is never packaged in our production code. |
Mitigation |
Upgrade set-value to version 2.0.1 or later, or version 3.0.1 or later, as per vendor’s recommendation. At the moment, it is not possible to globally upgrade set-value, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers. Note We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities. At the moment, there is no way to reliably test indirect dependencies. |
Affected versions |
2.4.0 and earlier |
Notes |
For more information, see: |