Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()
Vulnerability Description
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Vulnerability Type
CWE-1321
Vulnerability Title
dottie 安全漏洞
Vulnerability Description
dottie是Mick Hansen个人开发者的一款应用程序,可以轻松查找嵌套键。 dottie 2.0.4版本至2.0.6版本存在安全漏洞,该漏洞源于原型污染保护不完整,可能导致绕过保护。
CVSS Information
N/A
Vulnerability Type
N/A