CVE-2020-15256

NameCVE-2020-15256
DescriptionA prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-object-path (PTS)buster0.11.4-2+deb10u1fixed
buster (security)0.11.4-2+deb10u2fixed
bullseye0.11.5-3+deb11u1fixed
bookworm, sid, trixie0.11.8+~0.11.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-object-pathsourcestretch(unfixed)end-of-life
node-object-pathsourcebuster0.11.4-2+deb10u1
node-object-pathsource(unstable)0.11.5-3

Notes

[stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w

Search for package or bug name: Reporting problems