CVE-2024-21489

CVSS V2 None CVSS V3 None

Description

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Overview

CVE ID
CVE-2024-21489

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-10-01T05:00:02.644Z

Last Modified Date
2024-10-01T05:00:02.644Z

Weakness Enumerations

CWE	URL
CWE-1321	http://cwe.mitre.org/data/definitions/1321.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224
https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452
https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21489
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21489

History

Created	Old Value	New Value	Data Type	Notes
2024-10-06 20:37:19				Added to TrackCVE