GHSA-6339-gv7w-g5f4

Suggest an improvement
Source
https://github.com/advisories/GHSA-6339-gv7w-g5f4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-6339-gv7w-g5f4/GHSA-6339-gv7w-g5f4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6339-gv7w-g5f4
Aliases
  • CVE-2024-45277
Published
2024-10-08T06:30:47Z
Modified
2024-10-08T15:12:10.986096Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
SAP HANA Node.js client package vulnerable to Prototype Pollution
Details

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.

Database specific
{
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2024-10-08T14:37:55Z",
    "github_reviewed": true,
    "nvd_published_at": "2024-10-08T04:15:08Z"
}
References

Affected packages

npm / @sap/hana-client

Package

Name
@sap/hana-client
View open source insights on deps.dev
Purl
pkg:npm/%40sap/hana-client

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.21.31

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-6339-gv7w-g5f4/GHSA-6339-gv7w-g5f4.json"