Prototype Pollution
CVE-2021-23434

5.6MEDIUM

Key Information:

Vendor: Object-path Project
Status: Object-path
Vendor: CVE Published:; 27 August 2021

🔔 Create Object-path Project Vulnerability Alert

What is CVE-2021-23434?

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.

Affected Version(s)

object-path < 0.11.6

References

https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1570423

https://github.com/mariocasciaro/object-path/commit/7bdf4...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 27, 2021
Vulnerability Reserved
Jan 8, 2021

Credit

Alessio Della Libera of Snyk Research Team

JSON