VDB
CVE-2021-23440
CVE-2021-23440
PUBLISHED
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
EPSS 0.06% · 20.1th percentile
Risk Scores
EPSS Score
0.06%
20.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | node-set-value | 3.0.1-2, 3.0.1-3, 4.1.0+~4.0.1-1 |
| Ubuntu:18.04:LTS | node-set-value | 0, 0.4.0-1 |
| Ubuntu:25.10 | node-set-value | 0, 4.1.0+~4.0.1-2 |
| Ubuntu:24.04:LTS | node-set-value | 4.1.0+~4.0.1-2, 0 |
| Ubuntu:20.04:LTS | node-set-value | 0, 0.4.0-1, 0.4.0-2 |
Exploit Intelligence
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212 (nist-nvd)
- https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541 (nist-nvd)
- https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/ (nist-nvd)
- javascript.rs (github-poc)
- javascript.rs (github-poc)
- javascript.rs (github-poc)
- javascript.rs (github-poc)
- javascript.rs (github-poc)
- javascript.rs (github-poc)
- javascript.rs (github-poc)
…and 1 more exploits
Timeline
- CVE Published
- Sep 13, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 5, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jun 28, 2022 EPSS Score
- Aug 25, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 14, 2023 EPSS Score
- Mar 23, 2023 EPSS Score
- Apr 5, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23440 third-party-advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212 third-party-advisory
- https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 third-party-advisory
- https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/ third-party-advisory
- https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541 third-party-advisory
- https://github.com/jonschlinkert/set-value/pull/33 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23440 third-party-advisory