{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21529", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.122Z", "datePublished": "2024-09-11T05:00:01.507Z", "dateUpdated": "2024-09-11T17:51:59.141Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P"}}], "credits": [{"value": "Tariq Hawis", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "Prototype Pollution", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-09-11T05:00:01.507Z"}, "descriptions": [{"value": "Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691"}, {"url": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa"}], "affected": [{"product": "dset", "versions": [{"version": "0", "lessThan": "3.1.4", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"affected": [{"vendor": "dset_project", "product": "dset", "cpes": ["cpe:2.3:a:dset_project:dset:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.1.4", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T17:49:21.299829Z", "id": "CVE-2024-21529", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:51:59.141Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21529", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-11T17:49:21.299829Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dset_project:dset:*:*:*:*:*:node.js:*:*"], "vendor": "dset_project", "product": "dset", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.4", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:51:53.455Z"}}], "cna": {"credits": [{"lang": "en", "value": "Tariq Hawis"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "dset", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.4", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691"}, {"url": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa"}], "descriptions": [{"lang": "en", "value": "Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1321", "description": "Prototype Pollution"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-09-11T05:00:01.507Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21529", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:51:59.141Z", "dateReserved": "2023-12-22T12:33:20.122Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-09-11T05:00:01.507Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program."}, {"lang": "es", "value": "Las versiones del paquete dset anteriores a la 3.1.4 son vulnerables a la contaminaci\u00f3n de prototipos a trav\u00e9s de la funci\u00f3n dset debido a una desinfecci\u00f3n incorrecta de la entrada del usuario. Esta vulnerabilidad permite al atacante inyectar una propiedad de objeto maliciosa mediante la propiedad de objeto incorporada __proto__, que se asigna de forma recursiva a todos los objetos del programa."}], "id": "CVE-2024-21529", "lastModified": "2024-09-11T16:26:11.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-09-11T05:15:02.547", "references": [{"source": "report@snyk.io", "url": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "dset: Prototype Pollution", "id": "2311418", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311418"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "status": "draft"}, "cwe": "CWE-1321", "details": ["Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.", "A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21529", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "dset", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-09-11T05:15:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21529\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21529\nhttps://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa\nhttps://security.snyk.io/vuln/SNYK-JS-DSET-7116691"], "statement": "Prototype Pollution is rated with as Important severity issue because it exploits the fundamental inheritance mechanism of JavaScript objects, allowing an attacker to maliciously alter the global Object.prototype. This can lead to widespread and unpredictable behavior across the entire application, as all objects inherit from this polluted prototype. The consequences can range from denial of service (DoS), where important functions like toString() are rendered unusable, to remote code execution (RCE), where injected properties are executed in privileged contexts.", "threat_severity": "Important"}

{}