Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

CVE-2021-23436 (High) detected in immer-8.0.1.tgz - autoclosed #69

Copy link
Copy link
Closed
@mend-bolt-for-github

Description

@mend-bolt-for-github
Issue body actions

CVE-2021-23436 - High Severity Vulnerability

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /ui/package.json

Path to vulnerable library: /ui/node_modules/immer/package.json

Dependency Hierarchy:

  • @postgres.ai/ce-1.0.0.tgz (Root Library)
    • react-scripts-4.0.3.tgz
      • react-dev-utils-11.0.4.tgz
        • immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b3ac62d12e3d43994ff7ad836e34da801ed665fb

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution: immer - 9.0.6


Step up your Open Source Security Game with WhiteSource here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Morty Proxy This is a proxified and sanitized view of the page, visit original site.