Vulnerability Name: | CVE-2020-8116 (CCN-175850) | ||||||||||||||||||
Assigned: | 2020-01-28 | ||||||||||||||||||
Published: | 2020-01-28 | ||||||||||||||||||
Updated: | 2022-08-05 | ||||||||||||||||||
Summary: | Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. | ||||||||||||||||||
CVSS v3 Severity: | 7.3 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) 6.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
6.4 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
| ||||||||||||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||
Vulnerability Type: | CWE-1321 CWE-471 | ||||||||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2020-8116 Source: XF Type: UNKNOWN nodejs-dotprop-cve20208116-code-exec(175850) Source: MISC Type: Third Party Advisory https://github.com/advisories/GHSA-ff7x-qrg7-qggm Source: CCN Type: dot-prop GIT Repository Prevent setting/getting some problematic path components Source: MISC Type: Issue Tracking, Patch, Third Party Advisory https://github.com/sindresorhus/dot-prop/issues/63 Source: MISC Type: Broken Link https://github.com/sindresorhus/dot-prop/tree/v4 Source: CCN Type: Hackerone #719856 Prototype pollution in dot-prop Source: MISC Type: Exploit, Third Party Advisory https://hackerone.com/reports/719856 Source: CCN Type: IBM Security Bulletin 6379558 (Netezza for Cloud Pak for Data) OSS security Scan issues for Concerto installer. Source: CCN Type: IBM Security Bulletin 6382126 (Netezza for Cloud Pak for Data) OSS scan fixes for Content pos Source: CCN Type: IBM Security Bulletin 6382128 (Netezza for Cloud Pak for Data) Open Source Security issues for NPS console. Source: CCN Type: IBM Security Bulletin 6461891 (Cloud Pak for Applications) IBM Cloud Pak for Applications 4.3 nodejs and nodejs-express Appsody stacks is vulnerable to information disclosure, buffer overflow and prototype pollution exposures Source: CCN Type: IBM Security Bulletin 6566889 (Spectrum Discover) Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) Source: CCN Type: IBM Security Bulletin 6613009 (Cloud Pak System Software) Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System | ||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration RedHat 1: Configuration RedHat 2: Configuration CCN 1: ![]() | ||||||||||||||||||
Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
BACK |