Vulnerability Details : CVE-2020-36618
A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.
Products affected by CVE-2020-36618
- cpe:2.3:a:furqansofware:node_whois:-:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-36618
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-36618
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
VulDB | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-36618
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: cna@vuldb.com (Secondary)
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: cna@vuldb.com (Secondary)
-
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Assigned by:
- cna@vuldb.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2020-36618
-
https://vuldb.com/?id.216252
CVE-2020-36618 | Furqan node-whois index.coffee prototype pollution (ID 105)Third Party Advisory
-
https://github.com/FurqanSoftware/node-whois/pull/105
fix(vulnerability): Prototype Pollution Vulnerability by zero734kr · Pull Request #105 · FurqanSoftware/node-whois · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://github.com/FurqanSoftware/node-whois/commit/46ccc2aee8d063c7b6b4dee2c2834113b7286076
fix(vulnerability): Prototype Pollution Vulnerability (#105) · FurqanSoftware/node-whois@46ccc2a · GitHubPatch;Third Party Advisory
Jump to