Vulnerabilities > CVE-2022-31106 - Unspecified vulnerability in Clever Underscore.Deep

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

clever

NVD

Published: 2022-06-28

Updated: 2022-07-08

Summary

Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to `deepFromFlat`, which would pollute any future Objects created. Any users that have `deepFromFlat` or `deepPick` (due to its dependency on `deepFromFlat`) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying `deepFromFlat` to prevent specific keywords which will prevent this from happening.

Vulnerable Configurations

Part	Description	Count
Application	Clever Clever Underscore.Deep 0.0.1 Clever Underscore.Deep 0.0.2 Clever Underscore.Deep 0.0.3 Clever Underscore.Deep 0.0.4 Clever Underscore.Deep 0.0.5 Clever Underscore.Deep 0.1.0 Clever Underscore.Deep 0.2.0 Clever Underscore.Deep 0.3.0 Clever Underscore.Deep 0.4.0 Clever Underscore.Deep 0.5.0 Clever Underscore.Deep 0.5.1 Clever Underscore.Deep 0.5.2	12

Summary

Vulnerable Configurations

References