CWE-915
AllowedImproperly Controlled Modification of Dynamically-Determined Object Attributes
Abstraction: Base · Status: Incomplete
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
276 vulnerabilities reference this CWE, most recent first.
GHSA-896R-F27R-55MW
Vulnerability from github – Published: 2021-11-19 20:16 – Updated: 2025-01-17 21:31json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-schema"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3918"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-15T22:44:27Z",
"nvd_published_at": "2021-11-13T09:15:00Z",
"severity": "CRITICAL"
},
"details": "json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027).",
"id": "GHSA-896r-f27r-55mw",
"modified": "2025-01-17T21:31:38Z",
"published": "2021-11-19T20:16:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa"
},
{
"type": "PACKAGE",
"url": "https://github.com/kriszyp/json-schema"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250117-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "json-schema is vulnerable to Prototype Pollution"
}
GHSA-89MQ-4X47-5V83
Vulnerability from github – Published: 2019-11-20 15:29 – Updated: 2025-11-20 19:29Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge() does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
Upgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "angular"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10768"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2019-11-20T00:51:05Z",
"nvd_published_at": "2019-11-19T21:15:00Z",
"severity": "HIGH"
},
"details": "Versions of `angular ` prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function `merge()` does not restrict the modification of an Object\u0027s prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n## Recommendation\n\nUpgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality.",
"id": "GHSA-89mq-4x47-5v83",
"modified": "2025-11-20T19:29:58Z",
"published": "2019-11-20T15:29:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10768"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular.js/pull/16913"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular.js"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-534884"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "angular Prototype Pollution vulnerability"
}
GHSA-8GGX-MV5H-WJ7Q
Vulnerability from github – Published: 2025-12-10 09:30 – Updated: 2025-12-10 09:30An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted JSON payload to the device's registration endpoint /api/v1/devices/register, allowing the attacker to register unauthorized devices without authentication. Although exploiting this vulnerability has limited modification of data, there is no impact to the confidentiality and availability of the affected device, as well as no loss of confidentiality, integrity, and availability within any subsequent systems.
{
"affected": [],
"aliases": [
"CVE-2025-9315"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T09:15:47Z",
"severity": "MODERATE"
},
"details": "An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted JSON payload to the device\u0027s registration endpoint /api/v1/devices/register, allowing the attacker to register unauthorized devices without authentication. Although exploiting this vulnerability has limited modification of data, there is no impact to the confidentiality and availability of the affected device, as well as no loss of confidentiality, integrity, and availability within any subsequent systems.",
"id": "GHSA-8ggx-mv5h-wj7q",
"modified": "2025-12-10T09:30:25Z",
"published": "2025-12-10T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9315"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-252631-cve-2025-9315-unauthenticated-device-registration-vulnerability-in-mxsecurity-series"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8P36-Q63G-68QH
Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2022-12-03 03:46org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.mitre:openid-connect-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-27582"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-07T18:32:32Z",
"nvd_published_at": "2021-02-23T18:15:00Z",
"severity": "CRITICAL"
},
"details": "org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.",
"id": "GHSA-8p36-q63g-68qh",
"modified": "2022-12-03T03:46:40Z",
"published": "2021-05-13T22:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27582"
},
{
"type": "WEB",
"url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7eba3c12fed82388f917e8dd9b73e86e3a311e4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server"
},
{
"type": "WEB",
"url": "https://portswigger.net/research/hidden-oauth-attack-vectors"
},
{
"type": "WEB",
"url": "http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Autobinding vulnerability in MITREid Connect"
}
GHSA-8V63-CQQC-6R2C
Vulnerability from github – Published: 2021-09-20 20:46 – Updated: 2022-08-11 21:52object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "object-path"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3805"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T20:13:12Z",
"nvd_published_at": "2021-09-17T06:15:00Z",
"severity": "HIGH"
},
"details": "object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.",
"id": "GHSA-8v63-cqqc-6r2c",
"modified": "2022-08-11T21:52:14Z",
"published": "2021-09-20T20:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3805"
},
{
"type": "WEB",
"url": "https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884"
},
{
"type": "PACKAGE",
"url": "https://github.com/mariocasciaro/object-path"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in object-path"
}
GHSA-8VV3-JXM8-F4VF
Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:19The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "connie-lang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7706"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T21:19:56Z",
"nvd_published_at": "2020-08-18T10:15:00Z",
"severity": "CRITICAL"
},
"details": "The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.",
"id": "GHSA-8vv3-jxm8-f4vf",
"modified": "2021-05-05T21:19:56Z",
"published": "2021-05-06T17:29:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7706"
},
{
"type": "WEB",
"url": "https://github.com/mattinsler/connie-lang/commit/ef376d404c712dd28309ba07f28a8f87f24a015a"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CONNIELANG-598853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in connie-lang"
}
GHSA-92V9-XH2Q-FQ9F
Vulnerability from github – Published: 2021-09-20 20:12 – Updated: 2022-12-03 04:00The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the proto object.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@cookiex/deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23442"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T19:26:16Z",
"nvd_published_at": "2021-09-17T10:15:00Z",
"severity": "HIGH"
},
"details": "The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the __proto__ object.",
"id": "GHSA-92v9-xh2q-fq9f",
"modified": "2022-12-03T04:00:48Z",
"published": "2021-09-20T20:12:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23442"
},
{
"type": "WEB",
"url": "https://github.com/tony-tsx/cookiex-deep/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88"
},
{
"type": "PACKAGE",
"url": "https://github.com/tony-tsx/cookiex-deep"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-COOKIEXDEEP-1582793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in cookiex/deep"
}
GHSA-92XJ-MQP7-VMCJ
Vulnerability from github – Published: 2020-09-14 21:42 – Updated: 2022-12-03 04:06The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7720"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-14T21:41:51Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "HIGH"
},
"details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.",
"id": "GHSA-92xj-mqp7-vmcj",
"modified": "2022-12-03T04:06:21Z",
"published": "2020-09-14T21:42:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in node-forge"
}
GHSA-938F-5R4F-H65V
Vulnerability from github – Published: 2024-12-10 00:31 – Updated: 2025-06-04 00:50Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "10.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core-recommended"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "10.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core-recommended"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core-recommended"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "10.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-55636"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-10T19:09:20Z",
"nvd_published_at": "2024-12-10T00:15:22Z",
"severity": "LOW"
},
"details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this vulnerability, types have been added to properties in some of Drupal core\u0027s classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.\n\nThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.",
"id": "GHSA-938f-5r4f-h65v",
"modified": "2025-06-04T00:50:14Z",
"published": "2024-12-10T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55636"
},
{
"type": "WEB",
"url": "https://github.com/drupal/core/commit/17f362b988e6ad6bd5cc1e7e8a7a0804e1536fbc"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2024-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Drupal core contains a potential PHP Object Injection vulnerability"
}
GHSA-9534-H433-2RJF
Vulnerability from github – Published: 2021-05-07 16:28 – Updated: 2021-07-28 18:40utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "utilitify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10808"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-03T18:04:07Z",
"nvd_published_at": "2020-03-11T23:15:00Z",
"severity": "HIGH"
},
"details": "utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.",
"id": "GHSA-9534-h433-2rjf",
"modified": "2021-07-28T18:40:29Z",
"published": "2021-05-07T16:28:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10808"
},
{
"type": "WEB",
"url": "https://github.com/xcritical-software/utilitify/commit/88d6e27009823338bf319ffb768fe6b08e8ad2d1,"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-UTILITIFY-559497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify"
}
Mitigation
- If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
- For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Mitigation
Strategy: Refactoring
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
No CAPEC attack patterns related to this CWE.