Vulnerabilities > CVE-2021-41097 - Unspecified vulnerability in Bluespire Aurelia-Path

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

bluespire

NVD

Published: 2021-09-27

Updated: 2022-09-30

Summary

aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.

Vulnerable Configurations

Part	Description	Count
Application	Bluespire Bluespire Aurelia Path 0.0.1 Bluespire Aurelia Path 0.1.0 Bluespire Aurelia Path 0.2.0 Bluespire Aurelia Path 0.2.1 Bluespire Aurelia Path 0.2.2 Bluespire Aurelia Path 0.3.0 Bluespire Aurelia Path 0.4.0 Bluespire Aurelia Path 0.4.1 Bluespire Aurelia Path 0.4.2 Bluespire Aurelia Path 0.4.3 Bluespire Aurelia Path 0.4.4 Bluespire Aurelia Path 0.4.5 Bluespire Aurelia Path 0.4.6 Bluespire Aurelia Path 0.5.0 Bluespire Aurelia Path 0.6.0 Bluespire Aurelia Path 0.6.1 Bluespire Aurelia Path 0.7.0 Bluespire Aurelia Path 0.8.0 Bluespire Aurelia Path 0.8.1 Bluespire Aurelia Path 0.9.0 Bluespire Aurelia Path 0.10.0 Bluespire Aurelia Path 0.11.0 Bluespire Aurelia Path 1.0.0 Bluespire Aurelia Path 1.1.0 Bluespire Aurelia Path 1.1.1 Bluespire Aurelia Path 1.1.2 Bluespire Aurelia Path 1.1.3 Bluespire Aurelia Path 1.1.4 Bluespire Aurelia Path 1.1.5	38

Summary

Vulnerable Configurations

References