CVE-2021-23444
MEDIUM5.6EPSS 1.5%Prototype Pollution in jointjs
Published: 9/22/2021Modified: 1/14/2025
Also known as:GHSA-f3pp-32qc-36w4
Description
This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.
Affected packages (1)
- npm/jointjsfrom 0, < 3.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (7)
- PATCHhttps://github.com/clientIO/joint
- WEBhttps://github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8
- WEBhttps://github.com/clientIO/joint/pull/1514
- WEBhttps://github.com/clientIO/joint/releases/tag/v3.4.2
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1655817
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1655816
- WEBhttps://snyk.io/vuln/SNYK-JS-JOINTJS-1579578