CVE-2018-3720 — Modification of Assumed-Immutable Data in Project Assign-deep

CWE-471 — Modification of Assumed-Immutable Data CWE-1321 — Prototype Pollution4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 37.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Assign-deep Project Assign-deep Hackerone Assign-deep Node Module

Timeline

PublishedJun 7

Latest updateJul 26

Description

assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5hackerone/assign-deep_node_moduleVersions before 0.4.7

▶NVDassign-deep_project/assign-deep< 0.4.7

▶npmassign-deep_project/assign-deep< 0.4.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Prototype Pollution in assign-deep↗2018-07-26

▶

OSV

Prototype Pollution in assign-deep↗2018-07-26

▶

💥Exploits & PoCs

Exploit-DB

NAT32 2.2 Build 22284 - Remote Command Execution↗2018-02-14

▶