GHSA-4c2g-hx49-7h25

Source

https://github.com/advisories/GHSA-4c2g-hx49-7h25

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-4c2g-hx49-7h25/GHSA-4c2g-hx49-7h25.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4c2g-hx49-7h25

Aliases

CVE-2024-23339

Published

2024-01-23T14:43:13Z

Modified

2024-01-23T14:56:36.720812Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Prototype pollution not blocked by object-path related utilities in hoolock

Details

Impact

Utility functions related to object paths (get, set and update) did not block attempts to access or alter object prototypes.

Patches

The get, set and update functions will throw a TypeError when a user attempts to access or alter inherited properties in versions >=2.2.1.

Database specific

{
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-23T14:43:13Z",
    "nvd_published_at": "2024-01-22T23:15:08Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / hoolock

Package

Name: hoolock; View open source insights on deps.dev
Purl: pkg:npm/hoolock

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.2.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-4c2g-hx49-7h25/GHSA-4c2g-hx49-7h25.json"