CVE-2021-23760 – keyget

Package

Manager: npm
Name: keyget
Vulnerable Version: >=0 <=2.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.02425 pctl0.84555

Details

Prototype Pollution in keyget The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-28272](https://security.snyk.io/vuln/SNYK-JS-KEYGET-1048048)

Metadata

Created: 2022-02-01T00:51:01Z
Modified: 2022-01-31T19:46:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-9fp7-4fjm-q3mf/GHSA-9fp7-4fjm-q3mf.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-9fp7-4fjm-q3mf
Finding: F390
Auto approve: 1