The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
References
Link | Resource |
---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch Third Party Advisory |
https://github.com/yargs/y18n/issues/96 | Exploit Third Party Advisory |
https://github.com/yargs/y18n/pull/108 | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306 | Exploit Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-Y18N-1021887 | Exploit Third Party Advisory |
https://www.oracle.com/security-alerts/cpuApr2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
02 Dec 2022, 19:40
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-1321 |
14 Oct 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
Summary | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. |
19 Apr 2022, 15:41
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle graalvm
Oracle Siemens sinec Infrastructure Network Services Siemens |
|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:* cpe:2.3:a:y18n_project:y18n:4.0.0:*:*:*:*:node.js:*:* cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* |
10 Mar 2022, 17:41
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-915 |
14 Jun 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Jan 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
Summary | This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true |
Information
Published : 2020-11-17 13:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-7774
Mitre link : CVE-2020-7774
CVE.ORG link : CVE-2020-7774
JSON object : View
Products Affected
oracle
- graalvm
siemens
- sinec_infrastructure_network_services
y18n_project
- y18n
CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')