CVE-2023-45827 - OpenCVE

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Clickbar	Dot-diver

Configuration 1 [-]

cpe:2.3:a:clickbar:dot-diver:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a
https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-06T17:25:43.774Z

Updated: 2024-09-04T18:54:55.435Z

Reserved: 2023-10-13T12:00:50.439Z

Link: CVE-2023-45827

Vulnrichment

Updated: 2024-08-02T20:29:32.507Z

NVD

Status : Analyzed

Published: 2023-11-06T18:15:08.467

Modified: 2023-11-14T17:10:21.330

Link: CVE-2023-45827

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45827", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-13T12:00:50.439Z", "datePublished": "2023-11-06T17:25:43.774Z", "dateUpdated": "2024-09-04T18:54:55.435Z"}, "containers": {"cna": {"title": "Prototype Pollution vulnerability in @clickbar/dot-diver", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47"}, {"name": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "tags": ["x_refsource_MISC"], "url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a"}], "affected": [{"vendor": "clickbar", "product": "dot-diver", "versions": [{"version": "< 1.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-06T17:25:43.774Z"}, "descriptions": [{"lang": "en", "value": "Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.\n"}], "source": {"advisory": "GHSA-9w5f-mw3p-pj47", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.507Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47"}, {"name": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T18:52:37.106137Z", "id": "CVE-2023-45827", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T18:54:55.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "name": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "name": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:29:32.507Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-45827", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T18:52:37.106137Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T18:53:58.171Z"}}], "cna": {"title": "Prototype Pollution vulnerability in @clickbar/dot-diver", "source": {"advisory": "GHSA-9w5f-mw3p-pj47", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "clickbar", "product": "dot-diver", "versions": [{"status": "affected", "version": "< 1.0.2"}]}], "references": [{"url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "name": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "name": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-06T17:25:43.774Z"}}}, "cveMetadata": {"cveId": "CVE-2023-45827", "state": "PUBLISHED", "dateUpdated": "2024-09-04T18:54:55.435Z", "dateReserved": "2023-10-13T12:00:50.439Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-11-06T17:25:43.774Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clickbar:dot-diver:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B282AFD1-80AC-4421-BAA9-C5B8951E3841", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.\n"}, {"lang": "es", "value": "Dot diver es una librer\u00eda de utilidades TypeScript liviana, potente y sin dependencias que proporciona tipos y funciones para trabajar con rutas de objetos en notaci\u00f3n de puntos. En versiones anteriores a la 1.0.2 hay una vulnerabilidad de contaminaci\u00f3n de prototipo en la funci\u00f3n `setByPath` que puede conducir a la Ejecuci\u00f3n Remota de C\u00f3digo (RCE). Este problema se solucion\u00f3 en el commit `98daf567` que se incluy\u00f3 en la versi\u00f3n 1.0.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-45827", "lastModified": "2023-11-14T17:10:21.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-06T18:15:08.467", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}