CVE-2022-31106 - OpenCVE

Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Clever	Underscore.deep

Configuration 1 [-]

cpe:2.3:a:clever:underscore.deep:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7
https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-06-28T17:30:14

Updated: 2024-08-03T07:11:39.316Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31106

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-28T18:15:08.550

Modified: 2022-07-08T13:40:38.370

Link: CVE-2022-31106

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "underscore.deep", "vendor": "Clever", "versions": [{"status": "affected", "version": "< 0.5.3"}]}], "descriptions": [{"lang": "en", "value": "Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-28T17:30:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7"}], "source": {"advisory": "GHSA-8j79-hfj5-f2xm", "discovery": "UNKNOWN"}, "title": "Prototype Pollution in underscore.deep", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31106", "STATE": "PUBLIC", "TITLE": "Prototype Pollution in underscore.deep"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "underscore.deep", "version": {"version_data": [{"version_value": "< 0.5.3"}]}}]}, "vendor_name": "Clever"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}, {"description": [{"lang": "eng", "value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm", "refsource": "CONFIRM", "url": "https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm"}, {"name": "https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7", "refsource": "MISC", "url": "https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7"}]}, "source": {"advisory": "GHSA-8j79-hfj5-f2xm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.316Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31106", "datePublished": "2022-06-28T17:30:14", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:11:39.316Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clever:underscore.deep:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7BAC5AEC-FFAB-4972-8835-48C19036EB78", "versionEndExcluding": "0.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening."}, {"lang": "es", "value": "Underscore.deep es una colecci\u00f3n de mixins de Underscore que operan sobre objetos anidados. Las versiones de \"underscore.deep\" anteriores a 0.5.3 son susceptibles a una vulnerabilidad de contaminaci\u00f3n de prototipos. Un atacante puede dise\u00f1ar una carga maliciosa y pasarla a \"deepFromFlat\", lo que contaminar\u00eda cualquier objeto creado en el futuro. Cualquier usuario que tenga \"deepFromFlat\" o \"deepPick\" (debido a su dependencia de \"deepFromFlat\") en su c\u00f3digo deber\u00eda actualizar a versi\u00f3n 0.5.3 lo antes posible. Los usuarios que no puedan actualizarse pueden mitigar este problema al modificar \"deepFromFlat\" para evitar palabras clave espec\u00edficas que impidan que esto ocurra"}], "id": "CVE-2022-31106", "lastModified": "2022-07-08T13:40:38.370", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-06-28T18:15:08.550", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Secondary"}]}