CVE-2021-23771 - OpenCVE

This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Argencoders-notevil Project	Argencoders-notevil
Notevil Project	Notevil

Configuration 1 [-]

OR	cpe:2.3:a:argencoders-notevil_project:argencoders-notevil::::::node.js::*
	cpe:2.3:a:notevil_project:notevil::::::node.js::*

No data.

References

Link	Providers
https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587
https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-03-17T11:20:35.048563Z

Updated: 2024-09-17T00:20:38.770Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23771

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-17T12:15:07.740

Modified: 2022-03-24T01:46:38.647

Link: CVE-2021-23771

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "notevil", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}, {"product": "argencoders-notevil", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Cristian-Alexandru Staicu"}, {"lang": "en", "value": "Abdullah Alhamdan"}], "datePublic": "2022-03-17T00:00:00", "descriptions": [{"lang": "en", "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Sandbox Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-17T11:20:34", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}], "title": "Sandbox Bypass", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-03-17T11:16:10.096414Z", "ID": "CVE-2021-23771", "STATE": "PUBLIC", "TITLE": "Sandbox Bypass"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "notevil", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "argencoders-notevil", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Cristian-Alexandru Staicu"}, {"lang": "eng", "value": "Abdullah Alhamdan"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sandbox Bypass"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}, {"name": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:14:09.343Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23771", "datePublished": "2022-03-17T11:20:35.048563Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-17T00:20:38.770Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argencoders-notevil_project:argencoders-notevil:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4FB7BAC2-912E-411E-8F07-EFC844BF97AC", "versionEndIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:notevil_project:notevil:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3021DEE3-01BA-4C44-925B-C06F24FD95F5", "versionEndIncluding": "1.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)."}, {"lang": "es", "value": "Esto afecta a todas las versiones del paquete notevil; todas las versiones del paquete argencoders-notevil. Es vulnerable a un Escape del Sandbox conllevando a una contaminaci\u00f3n del Prototipo. El paquete falla al restringir el acceso al contexto principal, permitiendo a un atacante a\u00f1adir o modificar el prototipo de un objeto. **Nota:** Esta vulnerabilidad deriva de una correcci\u00f3n incompleta en [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)"}], "id": "CVE-2021-23771", "lastModified": "2022-03-24T01:46:38.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-03-17T12:15:07.740", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}