CVE-2019-20149 (High) detected in juice-shopjuice-shop-13.3.0_node16_darwin_x64 #4726
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
The CVE references |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2019-20149 - High Severity Vulnerability
Library home page: https://sourceforge.net/projects/juice-shop/
Found in HEAD commit: 1674c97b7650cfe7549a39b0ce4527f9692c7b67
Found in base branch: main
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution: 6.0.3
The text was updated successfully, but these errors were encountered: