CVE-2020-7774
published 2020-11-17CVE-2020-7774: The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
69.06%
99.3th percentile
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-y18n | < node-y18n 4.0.0-3 (bookworm) | node-y18n 4.0.0-3 (bookworm) |
| oracle | graalvm | — | — |
| oracle | graalvm | — | — |
| oracle | graalvm | — | — |
| paloalto | pan-os | — | — |
| siemens | sinec_infrastructure_network_services | < 1.0.1.1 | 1.0.1.1 |
| y18n_project | y18n | < 3.2.2 | 3.2.2 |
| y18n_project | y18n | — | — |
| y18n_project | y18n | >= 0 < 3.2.2 | 3.2.2 |
| y18n_project | y18n | >= 4.0.0 < 4.0.1 | 4.0.1 |
| y18n_project | y18n | >= 5.0.0 < 5.0.5 | 5.0.5 |
| y18n_project | y18n | >= 5.0.0 < 5.0.5 | 5.0.5 |
| y18n_project | y18n | >= unspecified < 5.0.5 | 5.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
- ·Vulnerability is scoped as local access only, limiting remote exploitation surface. ↗
- ·Exploitation requires attacker-controlled untrusted input via the locale functionality of y18n; denial of service is the primary impact, with data integrity/confidentiality impact only in rare circumstances. ↗
- ·In OpenShift/OSSM/distributed tracing deployments, the vulnerable library is behind OAuth authentication, reducing practical exploitability to authenticated users only. ↗
- ·In Red Hat OpenShift Container Storage 4, y18n is a dependency of yargs within noobaa-core, but no unsafe usage accepting untrusted input was identified. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2010-1622 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2022-22965 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
CISA ICS
Siemens SINEC INS
cisa_ics·2022-03-10·CVSS 5.9
[MEDIUM] Siemens SINEC INS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SINEC INS
Last RevisedMarch 10, 2022
Alert CodeICSA-22-069-09
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC INS
- Vulnerability: Using Components with Known Vulnerabilities
## 2. RISK EVALUATION
Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Siemens reports this vulnerability affects the following SINEC INS (Infrastructure Netw
Red Hat
nodejs-y18n: prototype pollution vulnerability
vendor_redhat·2020-10-25·CVSS 7.3
CVE-2020-7774 [HIGH] CWE-915 nodejs-y18n: prototype pollution vulnerability
nodejs-y18n: prototype pollution vulnerability
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Statement: In OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and OpenShift distributed tracing the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-y18n library to authenticated users only, therefore the impact is Low.
In Red Hat OpenShift Container Storage 4 the noobaa-core container includes the
Debian
CVE-2020-7774: node-y18n - The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollu...
vendor_debian·2020·CVSS 7.3
CVE-2020-7774 [HIGH] CVE-2020-7774: node-y18n - The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollu...
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Scope: local
bookworm: resolved (fixed in 4.0.0-3)
bullseye: resolved (fixed in 4.0.0-3)
forky: resolved (fixed in 4.0.0-3)
sid: resolved (fixed in 4.0.0-3)
trixie: resolved (fixed in 4.0.0-3)
OSV
Prototype Pollution in y18n
osv·2021-03-29
CVE-2020-7774 [HIGH] Prototype Pollution in y18n
Prototype Pollution in y18n
### Overview
The npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.
### POC
```js
const y18n = require('y18n')();
y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});
console.log(polluted); // true
```
### Recommendation
Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.
GHSA
Prototype Pollution in y18n
ghsa·2021-03-29
CVE-2020-7774 [HIGH] CWE-1321 Prototype Pollution in y18n
Prototype Pollution in y18n
### Overview
The npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.
### POC
```js
const y18n = require('y18n')();
y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});
console.log(polluted); // true
```
### Recommendation
Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.
OSV
CVE-2020-7774: The package y18n before 3
osv·2020-11-17·CVSS 9.8
CVE-2020-7774 [CRITICAL] CVE-2020-7774: The package y18n before 3
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://github.com/yargs/y18n/issues/96https://github.com/yargs/y18n/pull/108https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306https://snyk.io/vuln/SNYK-JS-Y18N-1021887https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://github.com/yargs/y18n/issues/96https://github.com/yargs/y18n/pull/108https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306https://snyk.io/vuln/SNYK-JS-Y18N-1021887https://www.oracle.com/security-alerts/cpuApr2021.html
2020-11-17
Published