Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-28860

Good to know:

icon
icon

Date: May 3, 2021

In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

Language: JS

Severity Score

Related Resources (12)

https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
https://security.netapp.com/advisory/ntap-20210618-0005/
https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
https://github.com/adaltas/node-mixme/issues/1
https://nvd.nist.gov/vuln/detail/CVE-2021-28860
https://www.npmjs.com/~david
http://nodejs.com
https://security.netapp.com/advisory/ntap-20210618-0005
https://security.netapp.com/advisory/ntap-20210622-0002
https://nvd.nist.gov/vuln/detail/CVE-2021-29491
https://github.com/adaltas/node-mixme
https://www.mend.io/vulnerability-database/CVE-2021-28860

Severity Score

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

icon

Upgrade Version

Upgrade to version mixme - 0.5.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us