CVE-2023-45827 - OpenCVE

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Clickbar	Dot-diver

Configuration 1 [-]

cpe:2.3:a:clickbar:dot-diver:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a	Patch
https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-06T17:25:43.774Z

Updated: 2023-11-06T17:25:43.774Z

Reserved: 2023-10-13T12:00:50.439Z

Link: CVE-2023-45827

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-06T18:15:08.467

Modified: 2023-11-14T17:10:21.330

Link: CVE-2023-45827

JSON object: View

Redhat Information

No data.

CWE

CWE-1321

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-45827", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-13T12:00:50.439Z", "datePublished": "2023-11-06T17:25:43.774Z", "dateUpdated": "2023-11-06T17:25:43.774Z"}, "containers": {"cna": {"title": "Prototype Pollution vulnerability in @clickbar/dot-diver", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47"}, {"name": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a", "tags": ["x_refsource_MISC"], "url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a"}], "affected": [{"vendor": "clickbar", "product": "dot-diver", "versions": [{"version": "< 1.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-06T17:25:43.774Z"}, "descriptions": [{"lang": "en", "value": "Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.\n"}], "source": {"advisory": "GHSA-9w5f-mw3p-pj47", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clickbar:dot-diver:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B282AFD1-80AC-4421-BAA9-C5B8951E3841", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.\n"}, {"lang": "es", "value": "Dot diver es una librer\u00eda de utilidades TypeScript liviana, potente y sin dependencias que proporciona tipos y funciones para trabajar con rutas de objetos en notaci\u00f3n de puntos. En versiones anteriores a la 1.0.2 hay una vulnerabilidad de contaminaci\u00f3n de prototipo en la funci\u00f3n `setByPath` que puede conducir a la Ejecuci\u00f3n Remota de C\u00f3digo (RCE). Este problema se solucion\u00f3 en el commit `98daf567` que se incluy\u00f3 en la versi\u00f3n 1.0.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-45827", "lastModified": "2023-11-14T17:10:21.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-06T18:15:08.467", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}