Vulnerability Description
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mpath Project | Mpath | < 0.8.4 |
Related Weaknesses (CWE)
References
- https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289ExploitThird Party Advisory
- https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-MPATH-1577289ExploitThird Party Advisory
FAQ
What is CVE-2021-23438?
CVE-2021-23438 is a vulnerability with a CVSS score of 5.6 (MEDIUM). This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if...
How severe is CVE-2021-23438?
CVE-2021-23438 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23438?
Check the references section above for vendor advisories and patch information. Affected products include: Mpath Project Mpath.