Vulnerability Description
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Set-Value Project | Set-Value | < 2.0.1 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://snyk.io/vuln/SNYK-JS-SETVALUE-450213ExploitThird Party Advisory
- https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://snyk.io/vuln/SNYK-JS-SETVALUE-450213ExploitThird Party Advisory
FAQ
What is CVE-2019-10747?
CVE-2019-10747 is a vulnerability with a CVSS score of 9.8 (CRITICAL). set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the construct...
How severe is CVE-2019-10747?
CVE-2019-10747 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-10747?
Check the references section above for vendor advisories and patch information. Affected products include: Set-Value Project Set-Value.