The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
History

Sun, 08 Sep 2024 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.4::el8

Mon, 19 Aug 2024 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.4::el8

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-01-21T20:05:29.374465Z

Updated: 2024-09-16T18:33:30.300Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23518

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-01-21T20:15:07.963

Modified: 2024-11-21T05:51:48.890

Link: CVE-2021-23518

cve-icon Redhat

Severity : Moderate

Publid Date: 2022-01-21T00:00:00Z

Links: CVE-2021-23518 - Bugzilla