Exposure of Resource to Wrong Sphere in Kind-of - CVE-2019-20149

 

Exposure of Resource to Wrong Sphere in Kind-of - CVE-2019-20149

Published: August 2, 2023


Vulnerability identifier: #VU78874
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-20149
CWE-ID: CWE-668
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: jonschlinkert
Affected software:
Kind-of

Detailed vulnerability description

The vulnerability allows a remote attacker to modify files on the system.

The vulnerability exists due to ctorName in index.js in kind-of allows external user input to overwrite certain internal attributes via a conflicting name. A remote unauthenticated attacker can send a specially crafted payload to overwrite builtin attribute and manipulate the type detection result.


How to mitigate CVE-2019-20149

Install updates from vendor's website.

Sources