CVE-2021-23682 — HIGH (7.3)

Q: How severe is CVE-2021-23682?

CVE-2021-23682 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23682?

Check the references section above for vendor advisories and patch information. Affected products include: Appwrite Appwrite, Litespeed.Js Project Litespeed.Js.

Vulnerability Description

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Appwrite	Appwrite	< 0.11.1
Litespeed.Js Project	Litespeed.Js	< 0.3.12

Related Weaknesses (CWE)

CWE-1321

References

https://github.com/appwrite/appwrite/pull/2778PatchThird Party Advisory
https://github.com/appwrite/appwrite/releases/tag/0.11.1Release NotesThird Party Advisory
https://github.com/appwrite/appwrite/releases/tag/0.12.2Release NotesThird Party Advisory
https://github.com/litespeed-js/litespeed.js/pull/18PatchThird Party Advisory
https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820ExploitThird Party Advisory
https://github.com/appwrite/appwrite/pull/2778PatchThird Party Advisory
https://github.com/appwrite/appwrite/releases/tag/0.11.1Release NotesThird Party Advisory
https://github.com/appwrite/appwrite/releases/tag/0.12.2Release NotesThird Party Advisory
https://github.com/litespeed-js/litespeed.js/pull/18PatchThird Party Advisory
https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820ExploitThird Party Advisory

FAQ

What is CVE-2021-23682?

CVE-2021-23682 is a vulnerability with a CVSS score of 7.3 (HIGH). This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key ...

How severe is CVE-2021-23682?

CVE-2021-23682 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23682?

Check the references section above for vendor advisories and patch information. Affected products include: Appwrite Appwrite, Litespeed.Js Project Litespeed.Js.