Home > Vulnerability Database > CVE-2019-10768

Mend.io Vulnerability Database

CVE-2019-10768

Good to know:

Date: November 19, 2019

In AngularJS before 1.7.9 the function "merge()" could be tricked into adding or modifying properties of "Object.prototype" using a "__proto__" payload. After conducting further research, Mend has determined that versions 1.4.0-beta.6 before 1.7.9 of angular are vulnerable to CVE-2019-10768. Converted from WS-2019-0367, on 2021-07-21.

Language: Java

Severity Score

7.5

Related Resources (9)

Url: https://www.npmjs.com/advisories/1343

Url: https://github.com/angular/angular.js

Url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E

Url: https://security-tracker.debian.org/tracker/CVE-2019-10768

Url: https://github.com/angular/angular.js/pull/16913

Url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-10768

Url: https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3

Url: https://www.mend.io/vulnerability-database/CVE-2019-10768

Severity Score

7.5

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-915

Top Fix

Upgrade Version

Upgrade to version angular - 1.5.23;angular - 1.7.9;angular-parse-ext - 1.5.23-parse-ext;angular-animate - 1.5.23-animate;angular-aria - 1.5.23-aria;angular-messages - 1.5.23-messages;angular-resource - 1.5.23-resource;angular-message-format - 1.5.23-message-format;angular-sanitize - 1.5.23-sanitize;angular-i18n - 1.5.23-i18n;angular-route - 1.5.23-route;angular-loader - 1.5.23-loader;angular-cookies - 1.5.23-cookies;angular-mocks - 1.5.23-mocks;angular-touch - 1.5.23-touch;angular - 1.5.23;angular-messages - 1.5.23-messages;angular-parse-ext - 1.5.23-parse-ext;angular-message-format - 1.5.23-message-format;angular-mocks - 1.5.23-mocks;angular-resource - 1.5.23-resource;angular-i18n - 1.5.23-i18n;angular-sanitize - 1.5.23-sanitize;angular-animate - 1.5.23-animate;angular-route - 1.5.23-route;angular-aria - 1.5.23-aria;angular-loader - 1.5.23-loader;angular-touch - 1.5.23-touch;angular-cookies - 1.5.23-cookies

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-10768

Good to know:

Date: November 19, 2019

Language: Java

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?