Vulnerabilities > CVE-2021-23444 - Type Confusion vulnerability in Client Jointjs

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

client

CWE-843

NVD

Published: 2021-09-21

Updated: 2021-10-02

Summary

This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.

Vulnerable Configurations

Part	Description	Count
Application	Client Client Jointjs *	1

Common Weakness Enumeration (CWE)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

References

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1655817
https://github.com/clientIO/joint/releases/tag/v3.4.2
https://snyk.io/vuln/SNYK-JS-JOINTJS-1579578
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1655816
https://github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8
https://github.com/clientIO/joint/pull/1514