CVE-2021-23444
MEDIUM5.6EPSS 1.5%Prototype Pollution in jointjs
發布日:2021/9/22修改日:2025/1/14
描述
This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.
受影響套件(1)
- npm/jointjsfrom 0, < 3.4.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
參考連結(7)
- PATCHhttps://github.com/clientIO/joint
- WEBhttps://github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8
- WEBhttps://github.com/clientIO/joint/pull/1514
- WEBhttps://github.com/clientIO/joint/releases/tag/v3.4.2
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1655817
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1655816
- WEBhttps://snyk.io/vuln/SNYK-JS-JOINTJS-1579578