Vulnerability Details CVE-2021-23470
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077
Exploit prediction scoring system (EPSS) score
EPSS Score 0.015
EPSS Ranking 80.0%
CVSS Severity
CVSS v3 Score 8.2
CVSS v2 Score 7.5
References
Products affected by CVE-2021-23470
-
cpe:2.3:a:putil-merge_project:putil-merge:1.0.0
-
cpe:2.3:a:putil-merge_project:putil-merge:1.0.1
-
cpe:2.3:a:putil-merge_project:putil-merge:1.0.2
-
cpe:2.3:a:putil-merge_project:putil-merge:1.1.0
-
cpe:2.3:a:putil-merge_project:putil-merge:1.1.1
-
cpe:2.3:a:putil-merge_project:putil-merge:1.1.2
-
cpe:2.3:a:putil-merge_project:putil-merge:1.1.3
-
cpe:2.3:a:putil-merge_project:putil-merge:1.1.4
-
cpe:2.3:a:putil-merge_project:putil-merge:1.1.5
-
cpe:2.3:a:putil-merge_project:putil-merge:1.2.0
-
cpe:2.3:a:putil-merge_project:putil-merge:2.0.0
-
cpe:2.3:a:putil-merge_project:putil-merge:2.0.1
-
cpe:2.3:a:putil-merge_project:putil-merge:2.0.2
-
cpe:2.3:a:putil-merge_project:putil-merge:2.1.0
-
cpe:2.3:a:putil-merge_project:putil-merge:2.2.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.0.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.1.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.1.1
-
cpe:2.3:a:putil-merge_project:putil-merge:3.1.2
-
cpe:2.3:a:putil-merge_project:putil-merge:3.1.3
-
cpe:2.3:a:putil-merge_project:putil-merge:3.1.4
-
cpe:2.3:a:putil-merge_project:putil-merge:3.2.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.3.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.4.1
-
cpe:2.3:a:putil-merge_project:putil-merge:3.4.2
-
cpe:2.3:a:putil-merge_project:putil-merge:3.5.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.5.1
-
cpe:2.3:a:putil-merge_project:putil-merge:3.5.2
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.0
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.1
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.2
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.3
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.4
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.5
-
cpe:2.3:a:putil-merge_project:putil-merge:3.6.6