Main Vulnerability Database SB2020020307

SB2020020307 - Prototype Pollution in dot-prop package

Published: February 3, 2020

Security Bulletin ID SB2020020307

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2020-8116)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to prototype pollution. A remote authenticated attacker can modify the prototype of a base object which can vary in severity depending on the implementation (DoS, access to sensitive data, RCE).

Remediation

Install update from vendor's website.

References

https://snyk.io/vuln/SNYK-JS-DOTPROP-543489
https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2
https://hackerone.com/reports/719856