CVE-2021-26707

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
Configurations

Configuration 1 (hide)

cpe:2.3:a:merge-deep_project:merge-deep:*:*:*:*:*:node.js:*:*

Configuration 2 (hide)

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

History

02 Dec 2022, 19:37

Type Values Removed Values Added
CWE CWE-915
NVD-CWE-Other
CWE-1321

14 Sep 2021, 17:10

Type Values Removed Values Added
CWE CWE-915
CPE cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210716-0008/ - Third Party Advisory

15 Jun 2021, 10:47

Type Values Removed Values Added
References (MISC) https://www.npmjs.com/package/merge-deep - (MISC) https://www.npmjs.com/package/merge-deep - Product, Third Party Advisory
References (MISC) https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/ - (MISC) https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/ - Third Party Advisory
References (MISC) https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5 - (MISC) https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5 - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8
CPE cpe:2.3:a:merge-deep_project:merge-deep:*:*:*:*:*:node.js:*:*
CWE NVD-CWE-Other

02 Jun 2021, 15:17

Type Values Removed Values Added
New CVE

Information

Published : 2021-06-02 15:15

Updated : 2023-12-10 13:55


NVD link : CVE-2021-26707

Mitre link : CVE-2021-26707

CVE.ORG link : CVE-2021-26707


JSON object : View

Products Affected

netapp

  • e-series_performance_analyzer

merge-deep_project

  • merge-deep
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')