CVE-2019-10806 - OpenCVE

vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Vega Project	Vega

Configuration 1 [-]

cpe:2.3:a:vega_project:vega:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b	Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-VEGAUTIL-559223	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2020-03-09T16:00:54

Updated: 2020-03-09T16:00:54

Reserved: 2019-04-03T00:00:00

Link: CVE-2019-10806

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-09T16:15:11.500

Modified: 2022-12-02T19:36:12.663

Link: CVE-2019-10806

JSON object: View

Redhat Information

No data.

CWE

CWE-1321

{"containers": {"cna": {"affected": [{"product": "vega-util", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions prior to 1.13.1"}]}], "descriptions": [{"lang": "en", "value": "vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype."}], "problemTypes": [{"descriptions": [{"description": "Prototype Pollution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-09T16:00:54", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-VEGAUTIL-559223"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2019-10806", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "vega-util", "version": {"version_data": [{"version_value": "All versions prior to 1.13.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Prototype Pollution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-VEGAUTIL-559223", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-VEGAUTIL-559223"}, {"name": "https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b", "refsource": "MISC", "url": "https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2019-10806", "datePublished": "2020-03-09T16:00:54", "dateReserved": "2019-04-03T00:00:00", "dateUpdated": "2020-03-09T16:00:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vega_project:vega:*:*:*:*:*:*:*:*", "matchCriteriaId": "647A1213-2E8C-4281-B287-9FD26E92A7BF", "versionEndExcluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype."}, {"lang": "es", "value": "vega-util versiones anteriores a 1.13.1, permite la manipulaci\u00f3n del prototipo de objeto. El m\u00e9todo \"vega.mergeConfig\" dentro de vega-util podr\u00eda ser enga\u00f1ado para agregar o modificar propiedades del Object.prototype."}], "id": "CVE-2019-10806", "lastModified": "2022-12-02T19:36:12.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-09T16:15:11.500", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-VEGAUTIL-559223"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}