CVE-2020-15256
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
EPSS 0.16% · 37.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | node-object-path | 0, 0.11.4-2 |
| Ubuntu:18.04:LTS | node-object-path | 0, 0.11.3-1 |
Exploit Intelligence
Timeline
- Oct 19, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Nov 18, 2021 CVE Updated
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-15256 third-party-advisory
- https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w third-party-advisory
- https://github.com/mariocasciaro/object-path/commit/2be3354c6c46215c7635eb1b76d80f1319403c68 third-party-advisory
- https://ubuntu.com/security/notices/USN-5967-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-15256 third-party-advisory