CVE-2018-3750

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-3750
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-3750.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-3750
Aliases
Related
Published
2018-07-03T21:29:00Z
Modified
2024-10-12T03:54:47.929174Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

References

Affected packages

Debian:11 / node-deep-extend

Package

Name
node-deep-extend
Purl
pkg:deb/debian/node-deep-extend?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.1-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / node-deep-extend

Package

Name
node-deep-extend
Purl
pkg:deb/debian/node-deep-extend?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.1-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / node-deep-extend

Package

Name
node-deep-extend
Purl
pkg:deb/debian/node-deep-extend?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.1-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/unclechu/node-deep-extend

Affected ranges

Type
GIT
Repo
https://github.com/unclechu/node-deep-extend
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v0.*

v0.2.10
v0.2.11
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.1
v0.4.2
v0.5.0