{"containers": {"cna": {"affected": [{"product": "set-value", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions before 2.0.1 and version 3.0.0"}]}], "descriptions": [{"lang": "en", "value": "set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads."}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-08T03:06:21", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"}, {"name": "[drat-dev] 20191029 [GitHub] [drat] ottlinger opened a new issue #202: Fix security issue in set-value", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E"}, {"name": "FEDORA-2020-1f1c94907b", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"}, {"name": "FEDORA-2020-582515fa8a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2019-10747", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "set-value", "version": {"version_data": [{"version_value": "All versions before 2.0.1 and version 3.0.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"}, {"name": "[drat-dev] 20191029 [GitHub] [drat] ottlinger opened a new issue #202: Fix security issue in set-value", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E"}, {"name": "FEDORA-2020-1f1c94907b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"}, {"name": "FEDORA-2020-582515fa8a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:01.472Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"}, {"name": "[drat-dev] 20191029 [GitHub] [drat] ottlinger opened a new issue #202: Fix security issue in set-value", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E"}, {"name": "FEDORA-2020-1f1c94907b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"}, {"name": "FEDORA-2020-582515fa8a", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2019-10747", "datePublished": "2019-08-23T16:46:36", "dateReserved": "2019-04-03T00:00:00", "dateUpdated": "2024-08-04T22:32:01.472Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:set-value_project:set-value:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DCB6675E-2AC8-41C4-BC11-023E5E61AAF6", "versionEndExcluding": "2.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:set-value_project:set-value:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "585D233E-4369-4A15-A2E0-A6379FD880BC", "versionEndExcluding": "3.0.1", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads."}, {"lang": "es", "value": "set-value es vulnerable a Prototype Pollution en versiones anteriores a 2.0.1 y la versi\u00f3n 3.0.0. La funci\u00f3n mixin-deep podr\u00eda ser enga\u00f1ada para agregar o modificar propiedades de Object.prototype usando cualquiera de las cargas \u00fatiles de constructor, prototipo y _proto_ payloads."}], "id": "CVE-2019-10747", "lastModified": "2023-11-07T03:02:33.160", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-23T17:15:13.403", "references": [{"source": "report@snyk.io", "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292%40%3Cdev.drat.apache.org%3E"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0549", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:12-8030020210129141730.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-02-16T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.20.1-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-11T00:00:00Z"}, {"advisory": "RHSA-2021:0485", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-02-11T00:00:00Z"}], "bugzilla": {"description": "nodejs-set-value: prototype pollution in function set-value", "id": "1795479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1795479"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-471", "details": ["set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.", "A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or _proto_ payloads. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2019-10747", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "impact": "low", "package_name": "nodejs:10/nodejs-nodemon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "moderate", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "moderate", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Will not fix", "impact": "low", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "nodejs-set-value", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "impact": "low", "package_name": "rh-nodejs10-nodejs-nodemon", "product_name": "Red Hat Software Collections"}], "public_date": "2019-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10747\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10747"], "statement": "While OpenShift Container Platform (OCP) contains the affected nodejs-set-value code, it's added as a dependency of Kibana 5. Similar issue about prototype pollution [1] have been fixed, but no known attack vector was found, so we're rating this issue as Low for OCP. \nIn Red Hat Software Collections and Red Hat Enterprise Linux 8, nodejs-set-value is bundled into nodejs-nodemon, and is not meant to be accessed outside of that package. Within nodemon, this flaw is rated with a Low severity.\nOpenShift distributed tracing bundles vulnerable version of Nodejs set-value package, however the components are protected by OpenShift OAuth, hence the impact by this vulnerability is reduced to LOW.\n[1] CVE-2019-10744 https://www.elastic.co/community/security", "threat_severity": "Important", "upstream_fix": "nodejs-set-value 3.0.1, nodejs-set-value 2.0.1"}