You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: t-vault/tvaultui/package.json
Path to vulnerable library: t-vault/tvaultui/node_modules/object-path/package.json
Dependency Hierarchy:
browser-sync-2.9.12.tgz (Root Library)
eazy-logger-2.1.3.tgz
tfunk-3.1.0.tgz
❌ object-path-0.9.2.tgz (Vulnerable Library)
Vulnerability Details
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
CVE-2020-15256 - High Severity Vulnerability
Vulnerable Library - object-path-0.9.2.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Path to dependency file: t-vault/tvaultui/package.json
Path to vulnerable library: t-vault/tvaultui/node_modules/object-path/package.json
Dependency Hierarchy:
Vulnerability Details
A prototype pollution vulnerability has been found in
object-path
<= 0.11.4 affecting theset()
method. The vulnerability is limited to theincludeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance ofobject-path
and setting the optionincludeInheritedProps: true
, or by using the defaultwithInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage ofset()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use theincludeInheritedProps: true
options or thewithInheritedProps
instance if using a version >= 0.11.0.Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-07-21
Fix Resolution: 0.11.5
The text was updated successfully, but these errors were encountered: