Vulnerable Library - fluxxor-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (fluxxor version) |
Remediation Possible** |
| CVE-2020-15256 |
 High |
8.4 |
object-path-0.6.0.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-15256
Vulnerable Library - object-path-0.6.0.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
- fluxxor-1.7.3.tgz (Root Library)
- ❌ object-path-0.6.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 4 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution: 0.11.5
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - object-path-0.6.0.tgz
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/object-path/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability has been found in
object-path<= 0.11.4 affecting theset()method. The vulnerability is limited to theincludeInheritedPropsmode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance ofobject-pathand setting the optionincludeInheritedProps: true, or by using the defaultwithInheritedPropsinstance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage ofset()in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use theincludeInheritedProps: trueoptions or thewithInheritedPropsinstance if using a version >= 0.11.0.Publish Date: 2020-10-19
URL: CVE-2020-15256
CVSS 4 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution: 0.11.5