{"containers": {"cna": {"affected": [{"product": "getobject", "vendor": "n/a", "versions": [{"status": "affected", "version": "0.1.0"}]}], "descriptions": [{"lang": "en", "value": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution."}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-29T19:20:35", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "ID": "CVE-2020-28282", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "getobject", "version": {"version_data": [{"version_value": "0.1.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48", "refsource": "MISC", "url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282", "refsource": "CONFIRM", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:33:58.277Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2020-28282", "datePublished": "2020-12-29T17:05:05", "dateReserved": "2020-11-06T00:00:00", "dateUpdated": "2024-08-04T16:33:58.277Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getobject_project:getobject:0.1.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "8972DA61-B530-4FBC-9DE1-45BE5CD65F5C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution."}, {"lang": "es", "value": "Una vulnerabilidad de contaminaci\u00f3n de prototipo en \"getobject\" versi\u00f3n 0.1.0, permite a un atacante causar una denegaci\u00f3n de servicio y puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota"}], "id": "CVE-2020-28282", "lastModified": "2020-12-30T21:59:01.787", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-29T18:15:12.870", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-getobject: Prototype pollution could result in DoS and RCE", "id": "1912463", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1912463"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-915", "details": ["Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", "A flaw was found in nodejs-getobject. The `set()` function does not check for the type of object before assigning value to the property allowing an attacker to create a non-existent property or allow the manipulation of the property which could lead to a denial of service or a remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2020-28282", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}], "public_date": "2020-12-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28282\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28282\nhttps://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48\nhttps://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"], "statement": "In OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-getobject library to authenticated users only, therefore the impact is Low. OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.", "threat_severity": "Important"}