CVE-2021-41097

Sažetak

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

Reference

https://github.com/aurelia/path/releases/tag/1.1.7
https://github.com/aurelia/path/issues/44
https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv
https://www.npmjs.com/package/aurelia-path
https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

30-09-2022 - 02:31

Objavljeno

27-09-2021 - 18:15