CVE-2020-7770 Information

Description

This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path however it does not properly check the key being set leading to a prototype pollution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Reference

https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e https://snyk.io/vuln/SNYK-JS-JSON8-1017116

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5