deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.
References
Link | Resource |
---|---|
https://fluidattacks.com/advisories/heldens/ | Exploit Third Party Advisory |
https://github.com/mattphillips/deep-object-diff | Product |
Configurations
Configuration 1 (hide)
|
History
05 Nov 2022, 01:38
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-1321 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
References | (MISC) https://github.com/mattphillips/deep-object-diff - Product | |
References | (MISC) https://fluidattacks.com/advisories/heldens/ - Exploit, Third Party Advisory | |
First Time |
Deep-object-diff Project deep-object-diff
Deep-object-diff Project |
|
CPE | cpe:2.3:a:deep-object-diff_project:deep-object-diff:1.1.0:*:*:*:*:node.js:*:* |
03 Nov 2022, 20:35
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-03 20:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-41713
Mitre link : CVE-2022-41713
CVE.ORG link : CVE-2022-41713
JSON object : View
Products Affected
deep-object-diff_project
- deep-object-diff
CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')