CVE-2020-7766

{"id": "CVE-2020-7766", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-11-10T16:15:14.963", "references": [{"url": "https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174", "tags": ["Broken Link"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution."}, {"lang": "es", "value": "Esto afecta a todas las versiones del paquete json-ptr. El problema ocurre en la operaci\u00f3n de configuraci\u00f3n (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) cuando el flag de fuerza se establece en verdadero. La funci\u00f3n establece de forma recursiva la propiedad en el objeto objetivo, sin embargo, no comprueba correctamente la clave que est\u00e1 siendo configurada, lo que genera una contaminaci\u00f3n de prototipo"}], "lastModified": "2024-11-21T05:37:45.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:json-ptr_project:json-ptr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AF4834D-2800-4630-BCE0-787B331DD741", "versionEndExcluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}