CVE-2024-23339 - OpenCVE

hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elijahharry	Hoolock

Configuration 1 [-]

cpe:2.3:a:elijahharry:hoolock:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982
https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T22:54:53.096Z

Updated: 2024-08-01T22:59:32.346Z

Reserved: 2024-01-15T15:19:19.444Z

Link: CVE-2024-23339

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-22T23:15:08.413

Modified: 2024-01-30T14:30:28.343

Link: CVE-2024-23339

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T22:54:53.096Z", "dateUpdated": "2024-08-01T22:59:32.346Z"}, "containers": {"cna": {"title": "hoolock does not block Prototype pollution with object-path related utilities", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}, {"name": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982", "tags": ["x_refsource_MISC"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}], "affected": [{"vendor": "elijahharry", "product": "hoolock", "versions": [{"version": ">= 2.0.0, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T22:54:53.096Z"}, "descriptions": [{"lang": "en", "value": "hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties."}], "source": {"advisory": "GHSA-4c2g-hx49-7h25", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.346Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}, {"name": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elijahharry:hoolock:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C4DE5F97-F88D-4551-9194-4620945DA9C9", "versionEndExcluding": "2.2.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties."}, {"lang": "es", "value": "hoolock es un conjunto de utilidades livianas manipuladas para ocupar poco espacio cuando se incluyen en paquete. A partir de la versi\u00f3n 2.0.0 y antes de la versi\u00f3n 2.2.1, las funciones de utilidad relacionadas con las rutas de los objetos (`get`, `set` y `update`) no bloqueaban los intentos de acceder o alterar los prototipos de objetos. A partir de la versi\u00f3n 2.2.1, las funciones `get`, `set` y `update` arrojan un `TypeError` cuando un usuario intenta acceder o modificar propiedades heredadas."}], "id": "CVE-2024-23339", "lastModified": "2024-01-30T14:30:28.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-22T23:15:08.413", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}