CVE-2020-7616 - OpenCVE

express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Express-mock-middleware Project	Express-mock-middleware

Configuration 1 [-]

cpe:2.3:a:express-mock-middleware_project:express-mock-middleware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39
https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-04-07T13:16:20

Updated: 2024-08-04T09:33:19.989Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7616

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-07T14:15:14.387

Modified: 2022-12-02T19:57:49.770

Link: CVE-2020-7616

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "express-mock-middleware", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions including 0.0.6"}]}], "datePublic": "2020-04-01T00:00:00", "descriptions": [{"lang": "en", "value": "express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk."}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-07T13:16:20", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2020-7616", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "express-mock-middleware", "version": {"version_data": [{"version_value": "All versions including 0.0.6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120"}, {"name": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39", "refsource": "MISC", "url": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:33:19.989Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7616", "datePublished": "2020-04-07T13:16:20", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-08-04T09:33:19.989Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:express-mock-middleware_project:express-mock-middleware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4869CE6-DE9B-4140-A408-4A59E13E5938", "versionEndIncluding": "0.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk."}, {"lang": "es", "value": "express-mock-middleware versiones hasta 0.0.6, es vulnerable a una Contaminaci\u00f3n de Prototipos. Las funciones exportadas por el paquete pueden ser enga\u00f1adas para agregar o modificar propiedades del \"Object.prototype\". Una explotaci\u00f3n de esta vulnerabilidad requiere la creaci\u00f3n de un nuevo directorio donde un c\u00f3digo de ataque se pueda colocar, que luego ser\u00eda exportado por \"express-mock-middleware\". Como tal, esto es considerado de bajo riesgo."}], "id": "CVE-2020-7616", "lastModified": "2022-12-02T19:57:49.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-07T14:15:14.387", "references": [{"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}