Vulnerability Details CVE-2018-3728
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.018
EPSS Ranking 81.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- http://www.securityfocus.com/bid/103108
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee
- https://hackerone.com/reports/310439
- https://nodesecurity.io/advisories/566
- https://snyk.io/vuln/npm:hoek:20180212
- http://www.securityfocus.com/bid/103108
- https://access.redhat.com/errata/RHSA-2018:1263
- https://access.redhat.com/errata/RHSA-2018:1264
- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee
- https://hackerone.com/reports/310439
- https://nodesecurity.io/advisories/566
- https://snyk.io/vuln/npm:hoek:20180212
Products affected by CVE-2018-3728
-
cpe:2.3:a:hapijs:hoek:0.0.6
-
cpe:2.3:a:hapijs:hoek:0.10.0
-
cpe:2.3:a:hapijs:hoek:0.4.1
-
cpe:2.3:a:hapijs:hoek:0.4.2
-
cpe:2.3:a:hapijs:hoek:0.4.3
-
cpe:2.3:a:hapijs:hoek:0.4.4
-
cpe:2.3:a:hapijs:hoek:0.4.5
-
cpe:2.3:a:hapijs:hoek:0.5.0
-
cpe:2.3:a:hapijs:hoek:0.6.0
-
cpe:2.3:a:hapijs:hoek:0.6.1
-
cpe:2.3:a:hapijs:hoek:0.6.2
-
cpe:2.3:a:hapijs:hoek:0.7.0
-
cpe:2.3:a:hapijs:hoek:0.7.1
-
cpe:2.3:a:hapijs:hoek:0.7.2
-
cpe:2.3:a:hapijs:hoek:0.7.3
-
cpe:2.3:a:hapijs:hoek:0.7.4
-
cpe:2.3:a:hapijs:hoek:0.7.5
-
cpe:2.3:a:hapijs:hoek:0.7.6
-
cpe:2.3:a:hapijs:hoek:0.8.0
-
cpe:2.3:a:hapijs:hoek:0.8.1
-
cpe:2.3:a:hapijs:hoek:0.8.2
-
cpe:2.3:a:hapijs:hoek:0.8.3
-
cpe:2.3:a:hapijs:hoek:0.8.4
-
cpe:2.3:a:hapijs:hoek:0.8.5
-
cpe:2.3:a:hapijs:hoek:0.9.0
-
cpe:2.3:a:hapijs:hoek:0.9.1
-
cpe:2.3:a:hapijs:hoek:1.0.0
-
cpe:2.3:a:hapijs:hoek:1.0.1
-
cpe:2.3:a:hapijs:hoek:1.0.2
-
cpe:2.3:a:hapijs:hoek:1.0.3
-
cpe:2.3:a:hapijs:hoek:1.1.0
-
cpe:2.3:a:hapijs:hoek:1.1.1
-
cpe:2.3:a:hapijs:hoek:1.1.2
-
cpe:2.3:a:hapijs:hoek:1.2.0
-
cpe:2.3:a:hapijs:hoek:1.3.0
-
cpe:2.3:a:hapijs:hoek:1.4.0
-
cpe:2.3:a:hapijs:hoek:1.4.1
-
cpe:2.3:a:hapijs:hoek:1.5.0
-
cpe:2.3:a:hapijs:hoek:1.5.1
-
cpe:2.3:a:hapijs:hoek:1.5.2
-
cpe:2.3:a:hapijs:hoek:2.0.0
-
cpe:2.3:a:hapijs:hoek:2.1.0
-
cpe:2.3:a:hapijs:hoek:2.1.1
-
cpe:2.3:a:hapijs:hoek:2.10.0
-
cpe:2.3:a:hapijs:hoek:2.11.0
-
cpe:2.3:a:hapijs:hoek:2.11.1
-
cpe:2.3:a:hapijs:hoek:2.12.0
-
cpe:2.3:a:hapijs:hoek:2.13.0
-
cpe:2.3:a:hapijs:hoek:2.13.1
-
cpe:2.3:a:hapijs:hoek:2.14.0
-
cpe:2.3:a:hapijs:hoek:2.15.0
-
cpe:2.3:a:hapijs:hoek:2.16.0
-
cpe:2.3:a:hapijs:hoek:2.16.1
-
cpe:2.3:a:hapijs:hoek:2.16.2
-
cpe:2.3:a:hapijs:hoek:2.16.3
-
cpe:2.3:a:hapijs:hoek:2.2.0
-
cpe:2.3:a:hapijs:hoek:2.3.0
-
cpe:2.3:a:hapijs:hoek:2.4.0
-
cpe:2.3:a:hapijs:hoek:2.4.1
-
cpe:2.3:a:hapijs:hoek:2.5.0
-
cpe:2.3:a:hapijs:hoek:2.5.1
-
cpe:2.3:a:hapijs:hoek:2.6.0
-
cpe:2.3:a:hapijs:hoek:2.7.0
-
cpe:2.3:a:hapijs:hoek:2.8.0
-
cpe:2.3:a:hapijs:hoek:2.8.1
-
cpe:2.3:a:hapijs:hoek:2.9.0
-
cpe:2.3:a:hapijs:hoek:2.9.1
-
cpe:2.3:a:hapijs:hoek:3.0.0
-
cpe:2.3:a:hapijs:hoek:3.0.2
-
cpe:2.3:a:hapijs:hoek:3.0.3
-
cpe:2.3:a:hapijs:hoek:3.0.4
-
cpe:2.3:a:hapijs:hoek:4.0.0
-
cpe:2.3:a:hapijs:hoek:4.0.1
-
cpe:2.3:a:hapijs:hoek:4.0.2
-
cpe:2.3:a:hapijs:hoek:4.1.0
-
cpe:2.3:a:hapijs:hoek:4.1.1
-
cpe:2.3:a:hapijs:hoek:5.0.0
-
cpe:2.3:a:hapijs:hoek:5.0.1
-
cpe:2.3:a:hapijs:hoek:5.0.2