CVE-2021-23771 - OpenCVE

This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Notevil Project	Notevil
Argencoders-notevil Project	Argencoders-notevil

Configuration 1 [-]

OR	cpe:2.3:a:argencoders-notevil_project:argencoders-notevil::::::node.js::*
	cpe:2.3:a:notevil_project:notevil::::::node.js::*

References

Link	Resource
https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587	Exploit Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-03-17T00:00:00

Updated: 2022-03-17T11:20:34

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23771

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-17T12:15:07.740

Modified: 2022-03-24T01:46:38.647

Link: CVE-2021-23771

JSON object: View

Redhat Information

No data.

CWE

CWE-1321

{"containers": {"cna": {"affected": [{"product": "notevil", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}, {"product": "argencoders-notevil", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Cristian-Alexandru Staicu"}, {"lang": "en", "value": "Abdullah Alhamdan"}], "datePublic": "2022-03-17T00:00:00", "descriptions": [{"lang": "en", "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 6.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Sandbox Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-17T11:20:34", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}], "title": "Sandbox Bypass", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-03-17T11:16:10.096414Z", "ID": "CVE-2021-23771", "STATE": "PUBLIC", "TITLE": "Sandbox Bypass"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "notevil", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "argencoders-notevil", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Cristian-Alexandru Staicu"}, {"lang": "eng", "value": "Abdullah Alhamdan"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sandbox Bypass"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}, {"name": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23771", "datePublished": "2022-03-17T00:00:00", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2022-03-17T11:20:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argencoders-notevil_project:argencoders-notevil:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4FB7BAC2-912E-411E-8F07-EFC844BF97AC", "versionEndIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:notevil_project:notevil:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3021DEE3-01BA-4C44-925B-C06F24FD95F5", "versionEndIncluding": "1.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)."}, {"lang": "es", "value": "Esto afecta a todas las versiones del paquete notevil; todas las versiones del paquete argencoders-notevil. Es vulnerable a un Escape del Sandbox conllevando a una contaminaci\u00f3n del Prototipo. El paquete falla al restringir el acceso al contexto principal, permitiendo a un atacante a\u00f1adir o modificar el prototipo de un objeto. **Nota:** Esta vulnerabilidad deriva de una correcci\u00f3n incompleta en [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878)"}], "id": "CVE-2021-23771", "lastModified": "2022-03-24T01:46:38.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-03-17T12:15:07.740", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}