CVE-2021-23436 (Medium) detected in immer-8.0.4.tgz, immer-8.0.1.tgz #71

mend-for-github-com · 2021-09-18T01:09:10Z

CVE-2021-23436 - Medium Severity Vulnerability

Vulnerable Libraries - immer-8.0.4.tgz, immer-8.0.1.tgz

immer-8.0.4.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.4.tgz

Path to dependency file: /client/package.json

Path to vulnerable library: /client/node_modules/immer/package.json

Dependency Hierarchy:

toolkit-1.5.1.tgz (Root Library)
- ❌ immer-8.0.4.tgz (Vulnerable Library)

immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /client/package.json

Path to vulnerable library: /client/node_modules/react-dev-utils/node_modules/immer/package.json

Dependency Hierarchy:

react-6.2.5.tgz (Root Library)
- react-dev-utils-11.0.4.tgz
  - ❌ immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 81f8b3f5658022f994993a18a7653667705b7f6e

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (@reduxjs/toolkit): 1.6.0

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (@storybook/react): 6.4.13

⛑️ Automatic Remediation will be attempted for this issue.

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Sep 18, 2021

mend-for-github-com bot mentioned this issue Feb 1, 2022

Update dependency @reduxjs/toolkit to v1.6.0 - abandoned #104

Open

1 task

mend-for-github-com bot mentioned this issue Feb 13, 2022

Update dependency @storybook/react to v6.4.22 - abandoned #121

Open

1 task

mend-for-github-com bot mentioned this issue Apr 3, 2023

Update dependency @storybook/react to v7 #218

Open

1 task

mend-for-github-com bot changed the title ~~CVE-2021-23436 (High) detected in immer-8.0.4.tgz, immer-8.0.1.tgz~~ CVE-2021-23436 (Critical) detected in immer-8.0.4.tgz, immer-8.0.1.tgz Jul 2, 2023

mend-for-github-com bot changed the title ~~CVE-2021-23436 (Critical) detected in immer-8.0.4.tgz, immer-8.0.1.tgz~~ CVE-2021-23436 (Medium) detected in immer-8.0.4.tgz, immer-8.0.1.tgz Sep 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-23436 (Medium) detected in immer-8.0.4.tgz, immer-8.0.1.tgz #71

CVE-2021-23436 (Medium) detected in immer-8.0.4.tgz, immer-8.0.1.tgz #71

mend-for-github-com bot commented Sep 18, 2021 •

edited

Loading

CVE-2021-23436 (Medium) detected in immer-8.0.4.tgz, immer-8.0.1.tgz #71

CVE-2021-23436 (Medium) detected in immer-8.0.4.tgz, immer-8.0.1.tgz #71

Comments

mend-for-github-com bot commented Sep 18, 2021 • edited Loading

CVE-2021-23436 - Medium Severity Vulnerability

mend-for-github-com bot commented Sep 18, 2021 •

edited

Loading