CVE-2021-23574

All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655).

CVSS v3 7.5 HIGH
CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/js-data/js-data/blob/master/dist/js-data.js%23L472	Broken Link Third Party Advisory
https://github.com/js-data/js-data/issues/576	Issue Tracking Patch Third Party Advisory
https://github.com/js-data/js-data/issues/577	Issue Tracking Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2320791	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-JSDATA-1584361	Exploit Third Party Advisory
https://github.com/js-data/js-data/blob/master/dist/js-data.js%23L472	Broken Link Third Party Advisory
https://github.com/js-data/js-data/issues/576	Issue Tracking Patch Third Party Advisory
https://github.com/js-data/js-data/issues/577	Issue Tracking Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2320791	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-JSDATA-1584361	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:js-data:js-data:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 05:51

Type	Values Removed	Values Added
CVSS	v2 : ~~7.5~~ v3 : ~~9.8~~	v2 : 7.5 v3 : 7.5
References	~~() https://github.com/js-data/js-data/blob/master/dist/js-data.js%23L472 - Broken Link, Third Party Advisory~~	() https://github.com/js-data/js-data/blob/master/dist/js-data.js%23L472 - Broken Link, Third Party Advisory
References	~~() https://github.com/js-data/js-data/issues/576 - Issue Tracking, Patch, Third Party Advisory~~	() https://github.com/js-data/js-data/issues/576 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://github.com/js-data/js-data/issues/577 - Issue Tracking, Patch, Third Party Advisory~~	() https://github.com/js-data/js-data/issues/577 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790 - Exploit, Third Party Advisory~~	() https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790 - Exploit, Third Party Advisory
References	~~() https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2320791 - Exploit, Third Party Advisory~~	() https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2320791 - Exploit, Third Party Advisory
References	~~() https://snyk.io/vuln/SNYK-JS-JSDATA-1584361 - Exploit, Third Party Advisory~~	() https://snyk.io/vuln/SNYK-JS-JSDATA-1584361 - Exploit, Third Party Advisory

Information

Published : 2021-12-24 20:15

Updated : 2024-11-21 05:51

NVD link : CVE-2021-23574

Mitre link : CVE-2021-23574

CVE.ORG link : CVE-2021-23574

JSON object : View

Products Affected

js-data

js-data

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.5 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2021-23574

7.5^/10

7.5^/10

Attach tags to `CVE-2021-23574`