Search criteria
15 vulnerabilities by Snyk
CVE-2024-21571 (GCVE-0-2024-21571)
Vulnerability from cvelistv5 – Published: 2024-12-06 13:21 – Updated: 2024-12-06 17:54
VLAI?
Summary
Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an attacker to have network access to the Code Agent within the deployment environment. External exploitation of this vulnerability is unlikely and depends on both misconfigurations of the cluster and/or chaining with another vulnerability. However, internal exploitation (with a cluster misconfiguration) could still be possible.
Severity ?
8.1 (High)
CWE
- CWE-94 - Remote Code Execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | Code Agent |
Affected:
0 , < *
(semver)
|
Credits
Snyk
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:synk:code_agent:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "code_agent",
"vendor": "synk",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21571",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T17:52:05.174400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:54:30.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Code Agent",
"vendor": "Snyk",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Snyk"
}
],
"descriptions": [
{
"lang": "en",
"value": "Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an attacker to have network access to the Code Agent within the deployment environment. External exploitation of this vulnerability is unlikely and depends on both misconfigurations of the cluster and/or chaining with another vulnerability. However, internal exploitation (with a cluster misconfiguration) could still be possible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Remote Code Execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T13:21:11.671Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21571"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2024-21571",
"datePublished": "2024-12-06T13:21:11.671Z",
"dateReserved": "2023-12-22T12:33:20.130Z",
"dateUpdated": "2024-12-06T17:54:30.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48963 (GCVE-0-2024-48963)
Vulnerability from cvelistv5 – Published: 2024-10-23 18:24 – Updated: 2024-10-24 13:44
VLAI?
Summary
The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.
Severity ?
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Snyk | Snyk Cli |
Affected:
0 , < 1.1294.0
(semver)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:snyk:snyk_cli:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snyk_cli",
"vendor": "snyk",
"versions": [
{
"lessThan": "1.1294.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:snyk:snyk_php_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snyk_php_plugin",
"vendor": "snyk",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T13:41:48.296818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T13:44:01.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Snyk Cli",
"vendor": "Snyk",
"versions": [
{
"lessThan": "1.1294.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "Snyk PHP Plugin",
"vendor": "Snyk",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"cvssV4_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:24:48.174Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://github.com/snyk/snyk-php-plugin/releases/tag/v1.10.0"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2024-48963",
"datePublished": "2024-10-23T18:24:48.174Z",
"dateReserved": "2024-10-10T12:49:33.454Z",
"dateUpdated": "2024-10-24T13:44:01.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48964 (GCVE-0-2024-48964)
Vulnerability from cvelistv5 – Published: 2024-10-23 18:24 – Updated: 2024-10-24 13:48
VLAI?
Summary
The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.
Severity ?
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Snyk | Snyk Cli |
Affected:
0 , < 1.1294.0
(semver)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:snyk:snyk_cli:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snyk_cli",
"vendor": "snyk",
"versions": [
{
"lessThan": "1.1294.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:snyk:snyk_gradle_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "snyk_gradle_plugin",
"vendor": "snyk",
"versions": [
{
"lessThan": "4.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T13:45:04.218805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T13:48:00.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Snyk Cli",
"vendor": "Snyk",
"versions": [
{
"lessThan": "1.1294.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "Snyk Gradle Plugin",
"vendor": "Snyk",
"versions": [
{
"lessThan": "4.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"cvssV4_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:24:42.404Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://github.com/snyk/snyk-gradle-plugin/commit/2f5ee7579f00660282dd161a0b79690f4a9c865d"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2024-48964",
"datePublished": "2024-10-23T18:24:42.404Z",
"dateReserved": "2024-10-10T12:49:33.454Z",
"dateUpdated": "2024-10-24T13:48:00.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1767 (GCVE-0-2023-1767)
Vulnerability from cvelistv5 – Published: 2023-04-20 09:20 – Updated: 2025-02-05 16:09
VLAI?
Summary
The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | Snyk Advisor |
Affected:
2020-10-01 , < 2023-03-28
(custom)
|
Credits
Gal Weizman
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.snyk.io/hc/en-us/articles/10146704933405"
},
{
"tags": [
"x_transferred"
],
"url": "https://weizman.github.io/2023/04/10/snyk-xss/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1767",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T16:09:22.282898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T16:09:37.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Snyk Advisor",
"vendor": "Snyk",
"versions": [
{
"lessThan": "2023-03-28",
"status": "affected",
"version": "2020-10-01",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Gal Weizman"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package\u0027s Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package\u0027s page on Snyk Advisor."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T09:20:05.667Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://support.snyk.io/hc/en-us/articles/10146704933405"
},
{
"url": "https://weizman.github.io/2023/04/10/snyk-xss/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-1767",
"datePublished": "2023-04-20T09:20:05.667Z",
"dateReserved": "2023-03-31T08:01:32.553Z",
"dateUpdated": "2025-02-05T16:09:37.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1065 (GCVE-0-2023-1065)
Vulnerability from cvelistv5 – Published: 2023-02-28 18:32 – Updated: 2025-03-07 18:37
VLAI?
Summary
This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case).
Severity ?
6.5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | Snyk Kubernetes Monitor |
Affected:
0 , < 2.0.0
(semver)
|
Credits
Tesco CyberSecurity Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snyk/kubernetes-monitor"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snyk/kubernetes-monitor/pull/1275"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T18:37:33.265395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T18:37:42.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Snyk Kubernetes Monitor",
"vendor": "Snyk",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tesco CyberSecurity Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target\u0027s Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-01T11:27:50.500Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://github.com/snyk/kubernetes-monitor"
},
{
"url": "https://github.com/snyk/kubernetes-monitor/commit/5b9a7821680bbfb6c4a900ab05d898ce2b2cc157"
},
{
"url": "https://snyk.io/blog/api-auth-vuln-snyk-kubernetes-cve-2023-1065/"
},
{
"url": "https://github.com/snyk/kubernetes-monitor/pull/1275"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-1065",
"datePublished": "2023-02-28T18:32:47.899Z",
"dateReserved": "2023-02-27T11:54:18.520Z",
"dateUpdated": "2025-03-07T18:37:42.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10797 (GCVE-0-2019-10797)
Vulnerability from cvelistv5 – Published: 2020-02-19 18:14 – Updated: 2024-08-04 22:32
VLAI?
Summary
Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.
Severity ?
No CVSS data available.
CWE
- HTTP Response Splitting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | WSO2 transport-http |
Affected:
All versions prior to version v6.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:02.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WSO2 transport-http",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version v6.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "HTTP Response Splitting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-19T18:14:55.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10797",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WSO2 transport-http",
"version": {
"version_data": [
{
"version_value": "All versions prior to version v6.3.1"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Response Splitting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10797",
"datePublished": "2020-02-19T18:14:55.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:02.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10791 (GCVE-0-2019-10791)
Vulnerability from cvelistv5 – Published: 2020-02-18 16:01 – Updated: 2024-08-04 22:32
VLAI?
Summary
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
Severity ?
No CVSS data available.
CWE
- Arbitrary Code Execution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | promise-probe |
Affected:
All versions prior to version 0.10.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:02.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dottgonzo/node-promise-probe/commit/0d9affb67fc1ad985903536d35372cf55efe5a45%2C"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-PROMISEPROBE-546816"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "promise-probe",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-18T16:01:20.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dottgonzo/node-promise-probe/commit/0d9affb67fc1ad985903536d35372cf55efe5a45%2C"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-PROMISEPROBE-546816"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10791",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "promise-probe",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 0.10.0"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/dottgonzo/node-promise-probe/commit/0d9affb67fc1ad985903536d35372cf55efe5a45,",
"refsource": "MISC",
"url": "https://github.com/dottgonzo/node-promise-probe/commit/0d9affb67fc1ad985903536d35372cf55efe5a45,"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-PROMISEPROBE-546816",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-PROMISEPROBE-546816"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10791",
"datePublished": "2020-02-18T16:01:20.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:02.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10793 (GCVE-0-2019-10793)
Vulnerability from cvelistv5 – Published: 2020-02-18 15:57 – Updated: 2024-08-04 22:32
VLAI?
Summary
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Severity ?
No CVSS data available.
CWE
- Prototype Pollution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | dot-object |
Affected:
All versions prior to version 2.1.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:02.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rhalff/dot-object/commit/f76cff5fe6d01d30ce110d8f454db2e5bd28a7de"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-DOTOBJECT-548905"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dot-object",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 2.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-18T15:57:37.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rhalff/dot-object/commit/f76cff5fe6d01d30ce110d8f454db2e5bd28a7de"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-DOTOBJECT-548905"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10793",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dot-object",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 2.1.3"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rhalff/dot-object/commit/f76cff5fe6d01d30ce110d8f454db2e5bd28a7de",
"refsource": "MISC",
"url": "https://github.com/rhalff/dot-object/commit/f76cff5fe6d01d30ce110d8f454db2e5bd28a7de"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-DOTOBJECT-548905",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-DOTOBJECT-548905"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10793",
"datePublished": "2020-02-18T15:57:37.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:02.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10792 (GCVE-0-2019-10792)
Vulnerability from cvelistv5 – Published: 2020-02-18 15:49 – Updated: 2024-08-04 22:32
VLAI?
Summary
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Severity ?
No CVSS data available.
CWE
- Prototype Pollution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/diegohaz/bodymen/commit/5d52e8cf360410ee697afd90937e6042c3a8653b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-BODYMEN-548897"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bodymen",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-18T15:49:47.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/diegohaz/bodymen/commit/5d52e8cf360410ee697afd90937e6042c3a8653b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-BODYMEN-548897"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10792",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bodymen",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.1.1"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/diegohaz/bodymen/commit/5d52e8cf360410ee697afd90937e6042c3a8653b",
"refsource": "MISC",
"url": "https://github.com/diegohaz/bodymen/commit/5d52e8cf360410ee697afd90937e6042c3a8653b"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-BODYMEN-548897",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-BODYMEN-548897"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10792",
"datePublished": "2020-02-18T15:49:47.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10795 (GCVE-0-2019-10795)
Vulnerability from cvelistv5 – Published: 2020-02-18 15:43 – Updated: 2024-08-04 22:32
VLAI?
Summary
undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Severity ?
No CVSS data available.
CWE
- Prototype Pollution
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:02.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "undefsafe",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 2.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The \u0027a\u0027 function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-18T15:43:13.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10795",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "undefsafe",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 2.0.3"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The \u0027a\u0027 function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940"
},
{
"name": "https://github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822",
"refsource": "MISC",
"url": "https://github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10795",
"datePublished": "2020-02-18T15:43:13.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:02.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10794 (GCVE-0-2019-10794)
Vulnerability from cvelistv5 – Published: 2020-02-18 15:32 – Updated: 2024-08-04 22:32
VLAI?
Summary
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Severity ?
No CVSS data available.
CWE
- Prototype Pollution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | component-flatten |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-COMPONENTFLATTEN-548907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "component-flatten",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-18T15:32:54.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-JS-COMPONENTFLATTEN-548907"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10794",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "component-flatten",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-COMPONENTFLATTEN-548907",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-JS-COMPONENTFLATTEN-548907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10794",
"datePublished": "2020-02-18T15:32:54.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10781 (GCVE-0-2019-10781)
Vulnerability from cvelistv5 – Published: 2020-01-22 13:40 – Updated: 2024-08-04 22:32
VLAI?
Summary
In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector.
Severity ?
No CVSS data available.
CWE
- Internal Property Tampering
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | schema-inspector |
Affected:
All versions prior to version 1.6.9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SCHEMAINSPECTOR-536970"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Atinux/schema-inspector/commit/345a7b2eed11bb6128421150d65f4f83fdbb737d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "schema-inspector",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.6.9"
}
]
}
],
"datePublic": "2020-01-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Internal Property Tampering",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-22T13:40:56.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SCHEMAINSPECTOR-536970"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Atinux/schema-inspector/commit/345a7b2eed11bb6128421150d65f4f83fdbb737d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10781",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "schema-inspector",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.6.9"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Internal Property Tampering"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SCHEMAINSPECTOR-536970",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SCHEMAINSPECTOR-536970"
},
{
"name": "https://github.com/Atinux/schema-inspector/commit/345a7b2eed11bb6128421150d65f4f83fdbb737d",
"refsource": "CONFIRM",
"url": "https://github.com/Atinux/schema-inspector/commit/345a7b2eed11bb6128421150d65f4f83fdbb737d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10781",
"datePublished": "2020-01-22T13:40:56.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10760 (GCVE-0-2019-10760)
Vulnerability from cvelistv5 – Published: 2019-10-15 14:53 – Updated: 2024-08-04 22:32
VLAI?
Summary
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- Arbitrary Code Execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | safer-eval |
Affected:
All versions prior to version 1.3.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-473029"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "safer-eval",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-15T14:53:11.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-473029"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "safer-eval",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.3.2"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-473029",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-473029"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10760",
"datePublished": "2019-10-15T14:53:11.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10759 (GCVE-0-2019-10759)
Vulnerability from cvelistv5 – Published: 2019-10-15 14:47 – Updated: 2024-08-04 22:32
VLAI?
Summary
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- Arbitrary Code Execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Snyk | safer-eval |
Affected:
All versions prior to version 1.3.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-173772"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "safer-eval",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-15T14:47:19.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-173772"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10759",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "safer-eval",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.3.4"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-173772",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-JS-SAFEREVAL-173772"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10759",
"datePublished": "2019-10-15T14:47:19.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10744 (GCVE-0-2019-10744)
Vulnerability from cvelistv5 – Published: 2019-07-25 23:43 – Updated: 2024-08-04 22:32
VLAI?
Summary
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Severity ?
No CVSS data available.
CWE
- Prototype Pollution
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2019:3024",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20191004-0005/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash",
"vendor": "Snyk",
"versions": [
{
"status": "affected",
"version": "All versions prior to 4.17.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Prototype Pollution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T14:42:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"name": "RHSA-2019:3024",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20191004-0005/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash",
"version": {
"version_data": [
{
"version_value": "All versions prior to 4.17.12"
}
]
}
}
]
},
"vendor_name": "Snyk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Prototype Pollution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2019:3024",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-450202",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
},
{
"name": "https://security.netapp.com/advisory/ntap-20191004-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20191004-0005/"
},
{
"name": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10744",
"datePublished": "2019-07-25T23:43:03.000Z",
"dateReserved": "2019-04-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:32:01.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}