CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 21 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28472 | 0.00 | — | 0.02 | Jan 19, 2021 | This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can… | |||
| CVE-2020-28279 | — | 0.00 | — | 0.03 | Dec 29, 2020 | Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-28278 | 0.00 | — | 0.03 | Dec 29, 2020 | Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | |||
| CVE-2020-28282 | — | 0.00 | — | 0.02 | Dec 29, 2020 | Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-28281 | — | 0.00 | — | 0.04 | Dec 29, 2020 | Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-28276 | — | 0.00 | — | 0.03 | Dec 29, 2020 | Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-28277 | — | 0.00 | — | 0.02 | Dec 29, 2020 | Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-28448 | 0.00 | — | 0.00 | Dec 22, 2020 | This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array. | |||
| CVE-2020-28460 | 0.00 | — | 0.01 | Dec 22, 2020 | This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448. | |||
| CVE-2020-28458 | — | 0.00 | — | 0.01 | Dec 16, 2020 | All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. | ||
| CVE-2020-28442 | — | 0.00 | — | 0.01 | Dec 15, 2020 | All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function. | ||
| CVE-2020-7792 | — | 0.00 | — | 0.01 | Dec 11, 2020 | This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the… | ||
| CVE-2020-7788 | 0.00 | — | 0.00 | Dec 11, 2020 | This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. | |||
| CVE-2020-28273 | — | 0.00 | — | 0.04 | Dec 2, 2020 | Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-28272 | — | 0.00 | — | 0.03 | Dec 2, 2020 | Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-7774 | — | 0.00 | — | 0.00 | Nov 17, 2020 | The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. | ||
| CVE-2020-28268 | — | 0.00 | — | 0.02 | Nov 15, 2020 | Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2020-7772 | — | 0.00 | — | 0.01 | Nov 15, 2020 | This affects the package doc-path before 2.1.2. | ||
| CVE-2020-28270 | 0.00 | — | 0.03 | Nov 12, 2020 | Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution. | |||
| CVE-2020-28269 | — | 0.00 | — | 0.03 | Nov 12, 2020 | Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. |
- CVE-2020-28472Jan 19, 2021risk 0.00cvss —epss 0.02
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can…
- CVE-2020-28279Dec 29, 2020risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28278Dec 29, 2020risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28282Dec 29, 2020risk 0.00cvss —epss 0.02
Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28281Dec 29, 2020risk 0.00cvss —epss 0.04
Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28276Dec 29, 2020risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28277Dec 29, 2020risk 0.00cvss —epss 0.02
Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28448Dec 22, 2020risk 0.00cvss —epss 0.00
This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array.
- CVE-2020-28460Dec 22, 2020risk 0.00cvss —epss 0.01
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.
- CVE-2020-28458Dec 16, 2020risk 0.00cvss —epss 0.01
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
- CVE-2020-28442Dec 15, 2020risk 0.00cvss —epss 0.01
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function.
- CVE-2020-7792Dec 11, 2020risk 0.00cvss —epss 0.01
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the…
- CVE-2020-7788Dec 11, 2020risk 0.00cvss —epss 0.00
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
- CVE-2020-28273Dec 2, 2020risk 0.00cvss —epss 0.04
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28272Dec 2, 2020risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-7774Nov 17, 2020risk 0.00cvss —epss 0.00
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
- CVE-2020-28268Nov 15, 2020risk 0.00cvss —epss 0.02
Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-7772Nov 15, 2020risk 0.00cvss —epss 0.01
This affects the package doc-path before 2.1.2.
- CVE-2020-28270Nov 12, 2020risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-28269Nov 12, 2020risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.