GHSA-p9pc-299p-vxgp

Source

https://github.com/advisories/GHSA-p9pc-299p-vxgp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p9pc-299p-vxgp

Aliases

CVE-2020-7608
SNYK-JS-YARGSPARSER-560381

Published

2020-09-04T18:00:54Z

Modified

2024-09-03T03:41:55.515524Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

yargs-parser Vulnerable to Prototype Pollution

Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

References

Affected packages

npm / yargs-parser

Package

Name: yargs-parser; View open source insights on deps.dev
Purl: pkg:npm/yargs-parser

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

13.1.2

npm / yargs-parser

Package

Name: yargs-parser; View open source insights on deps.dev
Purl: pkg:npm/yargs-parser

Affected ranges

Type: SEMVER
Events: Introduced

14.0.0

Fixed

15.0.1

npm / yargs-parser

Package

Name: yargs-parser; View open source insights on deps.dev
Purl: pkg:npm/yargs-parser

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0

Fixed

18.1.1

npm / yargs-parser

Package

Name: yargs-parser; View open source insights on deps.dev
Purl: pkg:npm/yargs-parser

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.1

Database specific

{
    "last_known_affected_version_range": "<= 5.0.0"
}