CVE-2023-26132 - OpenCVE

Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dottie Project	Dottie

Configuration 1 [-]

cpe:2.3:a:dottie_project:dottie:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107
https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68
https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-06-10T05:00:01.826Z

Updated: 2024-08-02T11:39:06.620Z

Reserved: 2023-02-20T10:28:48.925Z

Link: CVE-2023-26132

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-06-10T05:15:08.970

Modified: 2023-11-07T04:09:25.510

Link: CVE-2023-26132

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26132", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.925Z", "datePublished": "2023-06-10T05:00:01.826Z", "dateUpdated": "2024-08-02T11:39:06.620Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"}}], "credits": [{"value": "Yuhan Gao", "lang": "en"}, {"value": "Peng Zhou", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "Prototype Pollution", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-06-10T05:00:01.826Z"}, "descriptions": [{"value": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763"}, {"url": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107"}, {"url": "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68"}], "affected": [{"product": "dottie", "versions": [{"version": "0", "lessThan": "2.0.4", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.620Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763", "tags": ["x_transferred"]}, {"url": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107", "tags": ["x_transferred"]}, {"url": "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dottie_project:dottie:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FCDBDD66-72B2-4F5B-9730-F9132E9FC2D7", "versionEndExcluding": "2.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file."}], "id": "CVE-2023-26132", "lastModified": "2023-11-07T04:09:25.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-06-10T05:15:08.970", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "report@snyk.io", "type": "Secondary"}]}