Vulnerabilities > CVE-2021-23624 - Type Confusion vulnerability in Dotty Project Dotty

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

dotty-project

CWE-843

NVD

Published: 2021-11-03

Updated: 2021-11-05

Summary

This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays.

Vulnerable Configurations

Part	Description	Count
Application	Dotty_Project Dotty Project Dotty - Dotty Project Dotty 0.0.1 Dotty Project Dotty 0.0.2 Dotty Project Dotty 0.1.0 Dotty Project Dotty 0.1.1	5

Common Weakness Enumeration (CWE)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

References

https://github.com/deoxxa/dotty/commit/88f61860dcc274a07a263c32cbe9d44c24ef02d7
https://snyk.io/vuln/SNYK-JS-DOTTY-1577292