CVE-2018-16492

CRITICAL9.8EPSS 2.5%

Prototype Pollution in extend

發布日:2019/2/7修改日:2026/2/3

也稱為:GHSA-qrmc-fj45-qfc2DEBIAN-CVE-2018-16492

描述

Versions of `extend` prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The `extend()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. ## Recommendation If you're using `extend` 3.x upgrade to 3.0.2 or later. If you're using `extend` 2.x upgrade to 2.0.2 or later.

受影響套件(2)

Debian/node-extendfrom 0, < 3.0.2-1
npm/extend>= 3.0.0, < 3.0.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-16492
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-16492
PATCHhttps://github.com/justmoon/node-extend
WEBhttps://github.com/github/advisory-database/pull/6695
WEBhttps://github.com/justmoon/node-extend/commit/0e68e71d93507fcc391e398bc84abd0666b28190
WEBhttps://github.com/justmoon/node-extend/pull/48
WEBhttps://hackerone.com/reports/381185