#VU57216 Prototype pollution in immer - CVE-2021-23436

Cybersecurity Help s.r.o.

Published: 2021-10-11

Vulnerability identifier: #VU57216

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23436

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
immer
Web applications / JS libraries

Vendor: immer

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request to the application and perform prototype pollution.

Note, the vulnerability exists due to incomplete fix for #VU57215.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

immer: 8.0.1 - 9.0.5

External links
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266
https://snyk.io/vuln/SNYK-JS-IMMER-1540542
https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Edge Application Manager

Multiple vulnerabilities in IBM Business Automation Manager Open Editions

Multiple vulnerabilities in Red Hat Process Automation Manager

Prototype pollution in immer