CVE-2023-45827

06.11.2023, 18:15

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

Prototype Pollution

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
GitHub_M	CNA	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Vendor	Product	Version
clickbar	dot-diver	𝑥 < 1.0.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References

https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a

https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47

https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a

https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47