UBUNTU-CVE-2018-3750

Source
https://ubuntu.com/security/CVE-2018-3750
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-3750.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-3750
Related
Published
2018-07-03T21:29:00Z
Modified
2024-10-15T14:06:40Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

References

Affected packages

Ubuntu:Pro:18.04:LTS / node-deep-extend

Package

Name
node-deep-extend
Purl
pkg:deb/ubuntu/node-deep-extend?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.1-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / node-deep-extend

Package

Name
node-deep-extend
Purl
pkg:deb/ubuntu/node-deep-extend?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.1-3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.4.1-3",
            "binary_name": "node-deep-extend"
        }
    ]
}