json-schema is vulnerable to Prototype Pollution #2

New Issue

Closed

opened 2022-05-19 04:41:02 +00:00 by argoyle · 0 comments

argoyle commented 2022-05-19 04:41:02 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for json-schema in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-896r-f27r-55mw

Package	Severity	Affected versions	Patched versions	IDs
json-schema (NPM)	MODERATE	< 0.4.0	0.4.0	GHSA-896r-f27r-55mw,CVE-2021-3918

Description

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-3918
• https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
• https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9
• https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
• https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
• https://github.com/advisories/GHSA-896r-f27r-55mw

⚠️ `dependabot-gitlab` has detected security vulnerability for `json-schema` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-896r-f27r-55mw | Package | Severity | Affected versions | Patched versions | IDs | |-------------------|----------|-------------------|------------------|---------------------------------------| | json-schema (NPM) | MODERATE | < 0.4.0 | 0.4.0 | `GHSA-896r-f27r-55mw`,`CVE-2021-3918` | # Description json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') # References * https://nvd.nist.gov/vuln/detail/CVE-2021-3918 * https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 * https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9 * https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a * https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa * https://github.com/advisories/GHSA-896r-f27r-55mw

argoyle (Migrated from gitlab.com) closed this issue 2022-12-05 13:01:13 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#2