CVE-2019-10808

utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/xcritical-software/utilitify/commit/88d6e27009823338bf319ffb768fe6b08e8ad2d1%2C
https://snyk.io/vuln/SNYK-JS-UTILITIFY-559497	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xcritical.software:utilitify:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2020-03-11 23:15

Updated : 2023-11-07 03:02

NVD link : CVE-2019-10808

Mitre link : CVE-2019-10808

CVE.ORG link : CVE-2019-10808

JSON object : View

Products Affected

xcritical.software

utilitify

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

{"id": "CVE-2019-10808", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-03-11T23:15:11.467", "references": [{"url": "https://github.com/xcritical-software/utilitify/commit/88d6e27009823338bf319ffb768fe6b08e8ad2d1%2C", "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-UTILITIFY-559497", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}]}], "descriptions": [{"lang": "en", "value": "utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype."}, {"lang": "es", "value": "utilitify versiones anteriores a la versi\u00f3n 1.0.3, permite la modificaci\u00f3n de las propiedades de objeto. El m\u00e9todo de fusi\u00f3n podr\u00eda ser enga\u00f1ado para agregar o modificar propiedades de Object.prototype."}], "lastModified": "2023-11-07T03:02:34.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xcritical.software:utilitify:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4B9CEE00-5D27-40D9-8E91-1EC1EB864D29", "versionEndExcluding": "1.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}