CVE-2021-23440 — HIGH (7.3)

Q: How severe is CVE-2021-23440?

CVE-2021-23440 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23440?

Check the references section above for vendor advisories and patch information. Affected products include: Set-Value Project Set-Value, Oracle Communications Cloud Native Core Policy.

Vulnerability Description

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Set-Value Project	Set-Value	< 2.0.1
Oracle	Communications Cloud Native Core Policy	1.14.0

Related Weaknesses (CWE)

CWE-843

References

https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f9528PatchThird Party Advisory
https://github.com/jonschlinkert/set-value/pull/33PatchThird Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541ExploitThird Party Advisory
https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/ExploitThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f9528PatchThird Party Advisory
https://github.com/jonschlinkert/set-value/pull/33PatchThird Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541ExploitThird Party Advisory
https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/ExploitThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-23440?

CVE-2021-23440 is a vulnerability with a CVSS score of 7.3 (HIGH). This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are array...

How severe is CVE-2021-23440?

CVE-2021-23440 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23440?

Check the references section above for vendor advisories and patch information. Affected products include: Set-Value Project Set-Value, Oracle Communications Cloud Native Core Policy.