CVE-2021-23413 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-23413 PUBLISHED

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

EPSS 0.14% · 33.9th percentile

Risk Scores

EPSS Score

0.14%

33.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:25.10	node-jszip	0, 3.10.1+dfsg-2
Ubuntu:18.04:LTS	node-jszip	0, 3.1.4+dfsg-1
Ubuntu:22.04:LTS	node-jszip	3.7.1+dfsg-1, 0, 3.5.0+dfsg-2
Ubuntu:20.04:LTS	node-jszip	0, 3.2.2+dfsg-1
Ubuntu:24.04:LTS	node-jszip	0, 3.10.1+dfsg-2

Timeline

Jul 25, 2021 CVE Published
Jul 26, 2021 EPSS Score
Aug 27, 2021 CVE Updated
Sep 23, 2021 EPSS Score
Nov 20, 2021 EPSS Score
Jan 18, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 18, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 15, 2022 EPSS Score
Sep 11, 2022 EPSS Score
Nov 8, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2021-23413 third-party-advisory
https://github.com/Stuk/jszip/pull/766 third-party-advisory
https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36 third-party-advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498 third-party-advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499 third-party-advisory
https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88 third-party-advisory
https://snyk.io/vuln/SNYK-JS-JSZIP-1251497 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-23413 third-party-advisory
Multiples vulnérabilités dans les produits Splunk advisory

Open in Interactive Console →