Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-31106

Good to know:

icon

Date: June 28, 2022

Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of "underscore.deep" prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to "deepFromFlat", which would pollute any future Objects created. Any users that have "deepFromFlat" or "deepPick" (due to its dependency on "deepFromFlat") in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying "deepFromFlat" to prevent specific keywords which will prevent this from happening.

Language: COFFEE_SCRIPT

Severity Score

Related Resources (4)

https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7
https://nvd.nist.gov/vuln/detail/CVE-2022-31106
https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm
https://www.mend.io/vulnerability-database/CVE-2022-31106

Severity Score

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-915

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us