{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2018-16472", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2024-08-05T10:24:32.809Z", "dateReserved": "2018-09-04T00:00:00", "datePublished": "2018-11-06T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2022-12-05T00:00:00"}, "descriptions": [{"lang": "en", "value": "A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack."}], "affected": [{"vendor": "npm", "product": "cached-path-relative", "versions": [{"version": "<=1.0.1", "status": "affected"}]}], "references": [{"url": "https://hackerone.com/reports/390847"}, {"name": "[debian-lts-announce] 20221204 [SECURITY] [DLA 3221-1] node-cached-path-relative security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "Denial of Service (CWE-400)", "cweId": "CWE-400"}]}], "datePublic": "2018-11-02T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:24:32.809Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/390847", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221204 [SECURITY] [DLA 3221-1] node-cached-path-relative security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cached-path-relative_project:cached-path-relative:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C82FE18C-F97B-4CE8-81A2-38502478F2A0", "versionEndIncluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack."}, {"lang": "es", "value": "Un ataque de poluci\u00f3n de prototipos en cached-path-relative en versiones iguales o anteriores a la 1.0.1 permite que un atacante inyecte propiedades en Object.prototype que despu\u00e9s son heredadas por todos los objetos JS mediante la cadena de prototipos, lo que provoca un ataque de denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2018-16472", "lastModified": "2023-02-03T18:57:06.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-06T19:29:00.227", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/390847"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs-cached-path-relative: prototype pollution due to injected properties on Object.prototype", "id": "1649118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1649118"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack."], "name": "CVE-2018-16472", "package_state": [{"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Out of support scope", "package_name": "nodejs-cached-path-relative", "product_name": "Red Hat Mobile Application Platform 4"}], "public_date": "2018-11-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-16472\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16472"], "threat_severity": "Moderate", "upstream_fix": "nodejs-cached-path-relative 1.0.2"}