CVE-2021-23440
type confusion vulnerability in set-value (npm)
What is CVE-2021-23440 About?
This vulnerability in the `set-value` package is a type confusion flaw that enables a bypass of a previous security fix (CVE-2019-10747). It occurs when user-provided keys for the path parameter are arrays. The impact allows for unauthorized data manipulation or access, and its exploitation requires specific input formatting.
Affected Software
- set-value
- >3.0.0, <3.0.3
- <2.0.1
- >4.0.0, <4.0.1
- set-value-nuget
- <2.0.0
Technical Details
The vulnerability in the set-value package (versions affected are not specified but it's a regression fix for CVE-2019-10747) is a type confusion issue. It specifically manifests when an attacker provides array-based keys within the path parameter. The set-value function is designed to set a value at a specified path within an object. The previous fix (CVE-2019-10747) aimed to prevent prototype pollution or other unintended overwrites. However, by using an array as a key, the internal type checking or path resolution logic becomes confused, leading to a bypass of the intended security restrictions. This type confusion allows the attacker to manipulate object properties in an unintended way, potentially leading to property overwrites beyond the intended scope, or even prototype pollution in certain configurations.
What is the Impact of CVE-2021-23440?
Successful exploitation may allow attackers to bypass security restrictions, overwrite or manipulate arbitrary object properties, and potentially achieve remote code execution or denial of service.
What is the Exploitability of CVE-2021-23440?
Exploitation requires an attacker to provide specially crafted input where keys used in the path parameter are arrays. The complexity is moderate, as it targets a specific behavior of the set-value package's path resolution. No specific authentication or high privileges are likely required if the application processes user-controlled input through set-value. This is typically a remote vulnerability, where an attacker sends malicious data to a web application. The core constraint is the application's use of the set-value package and how it handles user-supplied path data. The likelihood of exploitation increases if the application uses set-value in conjunction with untrusted input to dynamically set object properties.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23440?
Available Upgrade Options
- set-value-nuget
- <2.0.0 → Upgrade to 2.0.0
- set-value
- <2.0.1 → Upgrade to 2.0.1
- set-value
- >3.0.0, <3.0.3 → Upgrade to 3.0.3
- set-value
- >4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452
- https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a
- https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212
- https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541
- https://github.com/jonschlinkert/set-value
- https://github.com/jonschlinkert/set-value/pull/33
- https://nvd.nist.gov/vuln/detail/CVE-2021-23440
- https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
- https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad
What are Similar Vulnerabilities to CVE-2021-23440?
Similar Vulnerabilities: CVE-2020-28172 , CVE-2020-13768 , CVE-2019-10747 , CVE-2020-28490 , CVE-2018-3721
