CVE-2021-41097

Description

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

Related CPE's

abluespireaurelia-path*****node.js**

References

https://github.com/aurelia/path/releases/tag/1.1.7

Release NotesThird Party Advisory

https://github.com/aurelia/path/issues/44

ExploitIssue TrackingThird Party Advisory

https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv

MitigationThird Party Advisory

https://www.npmjs.com/package/aurelia-path

ProductThird Party Advisory

https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1

PatchThird Party Advisory

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

NONE

UserInteraction

NONE

Scope

UNCHANGED

ConfidentialityImpact

NONE

IntegrityImpact

HIGH

AvailabilityImpact

NONE

BaseScore

7.5

BaseSeverity

HIGH

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

NONE

IntegrityImpact

PARTIAL

BaseScore

5

VectorString

AV:N/AC:L/Au:N/C:N/I:P/A:N

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io