Vulnerabilities > CVE-2021-23438 - Type Confusion vulnerability in Mpath Project Mpath

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

mpath-project

CWE-843

critical

NVD

Published: 2021-09-01

Updated: 2024-11-21

Summary

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.

Vulnerable Configurations

Part	Description	Count
Application	Mpath_Project Mpath Project Mpath 0.0.1 Mpath Project Mpath 0.1.0 Mpath Project Mpath 0.1.1 Mpath Project Mpath 0.2.0 Mpath Project Mpath 0.2.1 Mpath Project Mpath 0.3.0 Mpath Project Mpath 0.4.0 Mpath Project Mpath 0.4.1 Mpath Project Mpath 0.5.0 Mpath Project Mpath 0.5.1 Mpath Project Mpath 0.5.2 Mpath Project Mpath 0.6.0	12

Common Weakness Enumeration (CWE)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References