CVE-2023-26113 - OpenCVE

Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Collection.js Project	Collection.js

Configuration 1 [-]

cpe:2.3:a:collection.js_project:collection.js:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324
https://github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2
https://github.com/kobezzza/Collection/issues/27
https://github.com/kobezzza/Collection/releases/tag/v6.8.1
https://security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-03-18T05:00:01.243Z

Updated: 2024-08-02T11:39:06.578Z

Reserved: 2023-02-20T10:28:48.922Z

Link: CVE-2023-26113

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-18T05:15:52.937

Modified: 2023-11-07T04:09:22.120

Link: CVE-2023-26113

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26113", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.922Z", "datePublished": "2023-03-18T05:00:01.243Z", "dateUpdated": "2024-08-02T11:39:06.578Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"}}], "credits": [{"value": "Peng Zhou", "lang": "en"}, {"value": "Yuhan Gao", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "Prototype Pollution", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-03-18T05:00:01.243Z"}, "descriptions": [{"value": "Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js. \r\r", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148"}, {"url": "https://github.com/kobezzza/Collection/issues/27"}, {"url": "https://github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324"}, {"url": "https://github.com/kobezzza/Collection/releases/tag/v6.8.1"}, {"url": "https://github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2"}], "affected": [{"product": "collection.js", "versions": [{"version": "0", "lessThan": "6.8.1", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.578Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148", "tags": ["x_transferred"]}, {"url": "https://github.com/kobezzza/Collection/issues/27", "tags": ["x_transferred"]}, {"url": "https://github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324", "tags": ["x_transferred"]}, {"url": "https://github.com/kobezzza/Collection/releases/tag/v6.8.1", "tags": ["x_transferred"]}, {"url": "https://github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:collection.js_project:collection.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "27735FC6-ED7E-4FDD-8F74-1E22F837B8A4", "versionEndExcluding": "6.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js. \r\r"}], "id": "CVE-2023-26113", "lastModified": "2023-11-07T04:09:22.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-03-18T05:15:52.937", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kobezzza/Collection/issues/27"}, {"source": "report@snyk.io", "tags": ["Patch", "Release Notes"], "url": "https://github.com/kobezzza/Collection/releases/tag/v6.8.1"}, {"source": "report@snyk.io", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "report@snyk.io", "type": "Secondary"}]}