CVE-2022-21189 - OpenCVE

The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dexie	Dexie

Configuration 1 [-]

OR	cpe:2.3:a:dexie:dexie::::::node.js::*
	cpe:2.3:a:dexie:dexie:4.0.0:alpha1::::::
	cpe:2.3:a:dexie:dexie:4.0.0:alpha2::::::

No data.

References

Link	Providers
https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164
https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308
https://snyk.io/vuln/SNYK-JS-DEXIE-2607042

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-05-01T15:25:21.478902Z

Updated: 2024-09-16T20:07:35.060Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-21189

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-01T16:15:08.137

Modified: 2022-05-11T14:02:14.117

Link: CVE-2022-21189

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "dexie", "vendor": "n/a", "versions": [{"lessThan": "3.2.2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "4.0.0-alpha.1", "versionType": "custom"}, {"lessThan": "4.0.0-alpha.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Alessio Della Libera of Snyk Security Team"}], "datePublic": "2022-05-01T00:00:00", "descriptions": [{"lang": "en", "value": "The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 6.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-01T15:25:21", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-DEXIE-2607042"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b"}], "title": "Prototype Pollution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-05-01T15:20:18.160480Z", "ID": "CVE-2022-21189", "STATE": "PUBLIC", "TITLE": "Prototype Pollution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dexie", "version": {"version_data": [{"version_affected": "<", "version_value": "3.2.2"}, {"version_affected": ">=", "version_value": "4.0.0-alpha.1"}, {"version_affected": "<", "version_value": "4.0.0-alpha.3"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Alessio Della Libera of Snyk Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-DEXIE-2607042", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-DEXIE-2607042"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308"}, {"name": "https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164", "refsource": "MISC", "url": "https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164"}, {"name": "https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b", "refsource": "MISC", "url": "https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:31:58.735Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-DEXIE-2607042"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-21189", "datePublished": "2022-05-01T15:25:21.478902Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-16T20:07:35.060Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dexie:dexie:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "477C397F-F518-4C26-8936-C69EC6205F2B", "versionEndExcluding": "3.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:dexie:dexie:4.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "ED9CE1D6-7FE7-4527-9717-9C3AA87616D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:dexie:dexie:4.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "9597D1AD-CB91-4D92-BF2A-F9BD48B889CD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input."}, {"lang": "es", "value": "El paquete dexie versiones anteriores a 3.2.2, a partir de la versi\u00f3n 4.0.0-alpha.1 y anteriores a 4.0.0-alpha.3 son vulnerables a una Contaminaci\u00f3n de Prototipos en la funci\u00f3n Dexie.setByKeyPath(obj, keyPath, value) que no comprueba apropiadamente las claves que est\u00e1n estableci\u00e9ndose (como __proto__ o constructor). Esto puede permitir a un atacante a\u00f1adir/modificar propiedades del Object.prototype conllevando a una vulnerabilidad de contaminaci\u00f3n del prototipo. **Nota:** Esta vulnerabilidad puede ocurrir de m\u00faltiples maneras, por ejemplo cuando es modificada una colecci\u00f3n con una entrada de usuario no confiable"}], "id": "CVE-2022-21189", "lastModified": "2022-05-11T14:02:14.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-05-01T16:15:08.137", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-DEXIE-2607042"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}