CVE-2023-26139

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26139

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26139.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26139

Aliases

GHSA-gpvc-mx6g-cchv

Withdrawn

2024-05-15T05:33:35.856588Z

Published

2023-08-01T05:15:34Z

Modified

2023-11-29T09:54:47.396293Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “proto”.

References

Affected packages

Git / github.com/jeeeyul/underscore-keypath

Affected ranges

Type: GIT
Repo: https://github.com/jeeeyul/underscore-keypath
Events: Introduced

6d7ea0b1561f30e576791ffe3d746ac18ba9800c

Affected versions

v0.*

v0.0.11

v0.0.12

v0.0.13

v0.0.14

v0.0.15

v0.0.16

v0.0.18

v0.0.19

v0.0.20

v0.0.21

v0.0.22

v0.9.0

v0.9.1

v0.9.2

v0.9.3