GHSA-297x-8xj4-vcxv

Source

https://github.com/advisories/GHSA-297x-8xj4-vcxv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-297x-8xj4-vcxv/GHSA-297x-8xj4-vcxv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-297x-8xj4-vcxv

Aliases

CVE-2020-8141

Published

2022-05-24T17:11:32Z

Modified

2023-11-01T04:53:43.145863Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Control of Generation of Code in doT

Details

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

Database specific

{
    "nvd_published_at": "2020-03-15T18:15:00Z",
    "github_reviewed_at": "2022-06-23T06:55:22Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

npm / dot

Package

Name: dot; View open source insights on deps.dev
Purl: pkg:npm/dot

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3

Database specific

{
    "last_known_affected_version_range": "<= 1.1.2"
}