CVE-2021-23807 (Medium) detected in jsonpointer #1107
Description
GHSA-282f-qqgm-c34q - Medium Severity Vulnerability
Vulnerable Library - [email protected]
This is an implementation of [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901).
Library home page: https://www.npmjs.com/package/jsonpointer
Dependency Hierarchy:
- [email protected] (Root Library)
- [email protected]
- [email protected]
- ❌ [email protected] (Vulnerable Library)
- [email protected]
- [email protected]
$ npm ls jsonpointer
[email protected] /home/ubuntu/ws/OpenSearch-Dashboards
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
$ yarn why jsonpointer
yarn why v1.22.17
[1/4] Why do we have the module "jsonpointer"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.4.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
- "_project_#sass-lint#eslint#is-my-json-valid" depends on it
- Hoisted from "_project_#sass-lint#eslint#is-my-json-valid#jsonpointer"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
Done in 1.83s.
Found in base branch: main
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-08
URL: CVE-2021-23807
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: janl/node-jsonpointer#51
Release Date: 2021-11-08
Fix Resolution: jsonpointer - 5.0.0