Home > Vulnerability Database > CVE-2022-21213

Mend.io Vulnerability Database

CVE-2022-21213

Good to know:

Date: June 17, 2022

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. Note: This vulnerability derives from an incomplete fix of "CVE-2020-7792" (https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).

Language: JS

Severity Score

7.5

Related Resources (7)

Url: https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64

Url: https://github.com/mout/mout

Url: https://github.com/mout/mout/pull/279

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-21213

Url: https://github.com/mout/mout/blob/master/src/object/deepFillIn.js

Url: https://github.com/mout/mout/blob/master/src/object/deepMixIn.js

Url: https://www.mend.io/vulnerability-database/CVE-2022-21213

Severity Score

7.5

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version mout - 1.2.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-21213

Good to know:

Date: June 17, 2022

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?