#VU86917 Prototype pollution in dustjs
Vulnerability identifier: #VU86917
Vulnerability risk: Medium
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-1321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
dustjs
Other software /
Other software solutions
Vendor: LinkedIn Corporation
Description
The vulnerability allows a remote user to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote user can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Vulnerable software versions
dustjs: 1.0.0 - 2.7.5
External links
http://github.com/linkedin/dustjs/commit/ddb6523832465d38c9d80189e9de60519ac307c3
http://github.com/linkedin/dustjs/pull/805
http://vuldb.com/?id.216464
http://github.com/linkedin/dustjs/issues/804
http://vuldb.com/?ctiid.216464
http://github.com/linkedin/dustjs/releases/tag/v3.0.0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
