CVE-2021-23440

NameCVE-2021-23440
DescriptionThis affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs994448

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-set-value (PTS)buster0.4.0-1+deb10u1fixed
bullseye3.0.1-2+deb11u1fixed
sid, trixie, bookworm4.1.0+~4.0.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-set-valuesourcestretch(unfixed)end-of-life
node-set-valuesourcebuster(not affected)
node-set-valuesourcebullseye3.0.1-2+deb11u1
node-set-valuesource(unstable)3.0.1-3994448

Notes

[buster] - node-set-value <not-affected> (Vulnerable code does not exist)
[stretch] - node-set-value <end-of-life> (Nodejs in stretch not covered by security support)
https://github.com/jonschlinkert/set-value/commit/383b72d47c74a55ae8b6e231da548f9280a4296a (v4.0.1)
https://github.com/jonschlinkert/set-value/pull/33
Search for package or bug name: Reporting problems