CVE-2019-10745 — Prototype Pollution in Project Assign-deep

CWE-1321 — Prototype Pollution CWE-20 — Improper Input Validation CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes5 documents3 sources

Severity

7.5HIGHNVD

OSV8.6

EPSS

0.2%

top 53.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Assign-deep Project Assign-deep Pocoo Jinja2

Timeline

PublishedAug 20

Latest updateAug 21

Description

assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using either a constructor or a _proto_ payload.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDassign-deep_project/assign-deep< 0.4.8+1

▶npmassign-deep_project/assign-deep1.0.0 — 1.0.1+1

▶CVEListV5assign-deep_project/assign-deepAll versions prior to 0.4.8 and version 1.0.0

▶Ubuntupocoo/jinja2< 2.8-1ubuntu0.1+2

Patches

Patch: snyk.io ↗Patch: snyk.io ↗

🔴Vulnerability Details

GHSA

assign-deep Vulnerable to Prototype Pollution↗2019-08-21

▶

OSV

assign-deep Vulnerable to Prototype Pollution↗2019-08-21

▶

OSV

jinja2 vulnerabilities↗2019-06-06

▶

OSV

jinja2 vulnerabilities↗2019-06-06

▶