Home > Vulnerability Database > CVE-2021-23440

Mend.io Vulnerability Database

CVE-2021-23440

Good to know:

Date: September 12, 2021

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

Language: JS

Severity Score

9.8

Related Resources (8)

Url: https://www.oracle.com/security-alerts/cpujan2022.html

Url: https://security-tracker.debian.org/tracker/CVE-2021-23440

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-23440

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-23440

Url: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/

Url: https://github.com/jonschlinkert/set-value/pull/33

Url: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452

Url: https://www.mend.io/vulnerability-database/CVE-2021-23440

Severity Score

9.8

Weakness Type (CWE)

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-843

Top Fix

Upgrade Version

Upgrade to version set-value - 2.0.1,4.0.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-23440

Good to know:

Date: September 12, 2021

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?