This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
References
Link | Resource |
---|---|
https://github.com/graphhopper/graphhopper/pull/2370 | Patch Third Party Advisory |
https://github.com/graphhopper/graphhopper/releases/tag/3.1 | Release Notes Third Party Advisory |
https://github.com/graphhopper/graphhopper/releases/tag/3.2 | Release Notes Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-COMGRAPHHOPPER-1320114 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-1321 |
Information
Published : 2021-07-21 16:15
Updated : 2024-02-28 18:28
NVD link : CVE-2021-23408
Mitre link : CVE-2021-23408
CVE.ORG link : CVE-2021-23408
JSON object : View
Products Affected
graphhopper
- graphhopper
CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')