CVE-2024-29042

{"id": "CVE-2024-29042", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-03-22T17:15:07.990", "references": [{"url": "https://github.com/franciscop/translate/commit/7a2bf8b9f05f7c45c09683973ef4d8e995804aa4", "source": "security-advisories@github.com"}, {"url": "https://github.com/franciscop/translate/commit/cc1ba03078102f83e0503a96f1a081489bb865d3", "source": "security-advisories@github.com"}, {"url": "https://github.com/franciscop/translate/security/advisories/GHSA-882j-4vj5-7vmj", "source": "security-advisories@github.com"}, {"url": "https://github.com/franciscop/translate/commit/7a2bf8b9f05f7c45c09683973ef4d8e995804aa4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/franciscop/translate/commit/cc1ba03078102f83e0503a96f1a081489bb865d3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/franciscop/translate/security/advisories/GHSA-882j-4vj5-7vmj", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Translate is a package that allows users to convert text to different languages on Node.js and the browser. Prior to version 3.0.0, an attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users. The `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served. Version 3.0.0 fixes this issue."}, {"lang": "es", "value": "Translate es un paquete que permite a los usuarios convertir texto a diferentes idiomas en Node.js y el navegador. Antes de la versi\u00f3n 3.0.0, un atacante que controlaba la segunda variable de la funci\u00f3n \"traducir\" pod\u00eda realizar un ataque de envenenamiento de cach\u00e9. Pueden cambiar el resultado de las solicitudes de traducci\u00f3n realizadas por usuarios posteriores. El par\u00e1metro `opt.id` permite sobrescribir la clave de cach\u00e9. Si un atacante establece la variable `id` en la clave de cach\u00e9 que generar\u00eda otro usuario, puede elegir la respuesta que recibir\u00e1 ese usuario. La versi\u00f3n 3.0.0 soluciona este problema."}], "lastModified": "2024-11-21T09:07:26.187", "sourceIdentifier": "security-advisories@github.com"}