CVE-2024-21489

Sažetak

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Reference

https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452
https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983
https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224

CVSS

Base:	8.2
Impact:	4.2
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Zadnje važnije ažuriranje

04-10-2024 - 13:51

Objavljeno

01-10-2024 - 05:15