CVE-2020-28276

Critical

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to…

Mend·NVD-CWE-noinfo·Published 2020-12-29

CVSS

9.8

EPSS

0.03

KEV

Exploits

cve.orgen

160 chars

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

NVDen

160 chars

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

The NPM module 'deep-set' can be abused by Prototype Pollution vulnerability since the function `deepSet()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution. ### PoC ```js var deepSet = require('deep-set') var obj = {'1':'2'} console.log(obj.isAdmin); deepSet(obj, '__proto__.isAdmin', 'true') console.log(obj.isAdmin); ```

GHSAen

524 chars

NVDes

198 chars

Una vulnerabilidad de contaminación de prototipo en "deep-set" versiones 1.0.0 hasta 1.0.1, permite a un atacante causar una denegación de servicio y puede conllevar a una ejecución de código remota

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H