CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

CWE-915

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (488)

page 22 of 25

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2020-7770	—	—	0.00	Nov 12, 2020	This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
CVE-2020-7768	Grpc Grpc	—	0.01	Nov 11, 2020	The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
CVE-2020-28267	—	—	0.02	Nov 10, 2020	Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2020-7766	—	—	0.01	Nov 10, 2020	This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does…
CVE-2020-8268	—	—	0.00	Nov 9, 2020	Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
CVE-2020-7746	—	—	0.00	Oct 29, 2020	This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys…
CVE-2020-7751	Chaijs Pathval	—	0.01	Oct 25, 2020	pathval before version 1.1.1 is vulnerable to prototype pollution.
CVE-2020-7748	—	—	0.01	Oct 20, 2020	This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
CVE-2020-7742	—	—	0.00	Oct 7, 2020	This affects the package simpl-schema before 1.10.2.
CVE-2020-7709	—	—	0.01	Oct 5, 2020	This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.
CVE-2020-7737	Gramakri Safetydance	—	0.00	Oct 2, 2020	All versions of package safetydance are vulnerable to Prototype Pollution via the set function.
CVE-2020-7736	—	—	0.01	Oct 2, 2020	The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function.
CVE-2020-8158	—	—	0.00	Sep 18, 2020	Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
CVE-2020-7725	Lumiverse Worksmith	—	0.00	Sep 1, 2020	All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.
CVE-2020-7726	Lumiverse Safe Object2	—	0.00	Sep 1, 2020	All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
CVE-2020-7727	—	—	0.00	Sep 1, 2020	All versions of package gedi are vulnerable to Prototype Pollution via the set function.
CVE-2020-7723	Lumiverse Promisehelpers	—	0.00	Sep 1, 2020	All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.
CVE-2020-7724	—	—	0.00	Sep 1, 2020	All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function.
CVE-2020-7721	Lumiverse Node Oojs	—	0.00	Sep 1, 2020	All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.
CVE-2020-7722	Lumiverse Nodee Utils	—	0.00	Sep 1, 2020	All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function.

CVE-2020-7770Nov 12, 2020
risk 0.00cvss —epss 0.00
This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
CVE-2020-7768Nov 11, 2020
Grpc
Grpc
risk 0.00cvss —epss 0.01
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
CVE-2020-28267Nov 10, 2020
risk 0.00cvss —epss 0.02
Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2020-7766Nov 10, 2020
risk 0.00cvss —epss 0.01
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does…
CVE-2020-8268Nov 9, 2020
risk 0.00cvss —epss 0.00
Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
CVE-2020-7746Oct 29, 2020
risk 0.00cvss —epss 0.00
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys…
CVE-2020-7751Oct 25, 2020
Chaijs
Pathval
risk 0.00cvss —epss 0.01
pathval before version 1.1.1 is vulnerable to prototype pollution.
CVE-2020-7748Oct 20, 2020
risk 0.00cvss —epss 0.01
This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
CVE-2020-7742Oct 7, 2020
risk 0.00cvss —epss 0.00
This affects the package simpl-schema before 1.10.2.
CVE-2020-7709Oct 5, 2020
risk 0.00cvss —epss 0.01
This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.
CVE-2020-7737Oct 2, 2020
Gramakri
Safetydance
risk 0.00cvss —epss 0.00
All versions of package safetydance are vulnerable to Prototype Pollution via the set function.
CVE-2020-7736Oct 2, 2020
risk 0.00cvss —epss 0.01
The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function.
CVE-2020-8158Sep 18, 2020
risk 0.00cvss —epss 0.00
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
CVE-2020-7725Sep 1, 2020
Lumiverse
Worksmith
risk 0.00cvss —epss 0.00
All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.
CVE-2020-7726Sep 1, 2020
Lumiverse
Safe Object2
risk 0.00cvss —epss 0.00
All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
CVE-2020-7727Sep 1, 2020
risk 0.00cvss —epss 0.00
All versions of package gedi are vulnerable to Prototype Pollution via the set function.
CVE-2020-7723Sep 1, 2020
Lumiverse
Promisehelpers
risk 0.00cvss —epss 0.00
All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.
CVE-2020-7724Sep 1, 2020
risk 0.00cvss —epss 0.00
All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function.
CVE-2020-7721Sep 1, 2020
Lumiverse
Node Oojs
risk 0.00cvss —epss 0.00
All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.
CVE-2020-7722Sep 1, 2020
Lumiverse
Nodee Utils
risk 0.00cvss —epss 0.00
All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function.