CVE-2020-7774

Aliases:GHSA-c4w7-xm78-47vh
Advisory lineage Upstream: 0 Downstream: 27
Modified
Published: 17 Nov 2020, 12:30
Last modified:16 Sept 2024, 20:13

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
0.47% LOW
0% probability -0.17%
KEV
Not listed
Ransomware
No reports
Public exploits
3 found
Dark Web
Not detected

Timeline

17 Nov 2020, 12:30
Published
Vulnerability first disclosed
16 Sept 2024, 20:13
Last Modified
Vulnerability information updated

Description

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

CVSS Metrics

  • v3.1HIGHScore: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v3.1HIGHScore: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.47% Percentile: 65%

Techniques & Countermeasures

  • CWE-1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

    The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Systems

  • Npmy18n

    < 3.2.2 | ≥ 4.0.0, < 4.0.1 | ≥ 5.0.0, < 5.0.5

  • oraclegraalvm

    19.3.5 | 20.3.1.2 | 21.0.0.2

  • siemenssinec_infrastructure_network_services

    < 1.0.1.1

  • y18n_projecty18n

    < 3.2.2 | ≥ 5.0.0, < 5.0.5 | 4.0.0

References (10)