CVE-2022-21189 Information

Jun 07, 2022 cve

Description

The package dexie before 3.2.2 from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj keyPath value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways for example when modifying a collection with untrusted user input.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://snyk.io/vuln/SNYK-JS-DEXIE-2607042 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308 https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: