This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
References
Link | Resource |
---|---|
https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88 | Broken Link |
https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36 | Patch Third Party Advisory |
https://github.com/Stuk/jszip/pull/766 | Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498 | Exploit Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-JSZIP-1251497 | Exploit Patch Third Party Advisory |
Configurations
History
27 Aug 2021, 15:41
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 5.3 |
04 Aug 2021, 17:53
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/Stuk/jszip/pull/766 - Third Party Advisory | |
References | (CONFIRM) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498 - Exploit, Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36 - Patch, Third Party Advisory | |
References | (CONFIRM) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499 - Exploit, Patch, Third Party Advisory | |
References | (CONFIRM) https://snyk.io/vuln/SNYK-JS-JSZIP-1251497 - Exploit, Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88 - Broken Link | |
CPE | cpe:2.3:a:jszip_project:jszip:*:*:*:*:*:node.js:*:* | |
CWE | NVD-CWE-noinfo | |
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
25 Jul 2021, 14:15
Type | Values Removed | Values Added |
---|---|---|
Summary | This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. |
25 Jul 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-07-25 13:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-23413
Mitre link : CVE-2021-23413
CVE.ORG link : CVE-2021-23413
JSON object : View
Products Affected
jszip_project
- jszip
CWE