CVE-2024-39001
MEDIUM6.3EPSS 0.26%ag-grid packages vulnerable to Prototype Pollution
發布日:2024/7/1修改日:2026/2/4
描述
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
受影響套件(3)
- npm/ag-grid-community>= 32.0.0, < 32.0.1
- npm/ag-grid-enterprise>= 32.0.0, < 32.0.1
- npm/@ag-grid-enterprise/charts>= 32.0.0, < 32.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-39001
- PATCHhttps://github.com/ag-grid/ag-grid
- WEBhttps://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa
- WEBhttps://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b
- WEBhttps://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b
- WEBhttps://github.com/ag-grid/ag-grid/commit/78fb47f6c996f22c0b7184afb29620ab8c240522
- WEBhttps://github.com/ag-grid/ag-grid/commit/ff731699453f2632d4852b3a3c34b479c406068c
- WEBhttps://github.com/ag-grid/ag-grid/issues/8261
- WEBhttps://www.ag-grid.com/changelog/?fixVersion=31.3.4
- WEBhttps://www.ag-grid.com/changelog/?fixVersion=32.0.1