CVE-2021-21304 Vulnerability Details

  /     /     /  

CVE-2021-21304 Metadata Quick Info

CVE Published: 08/02/2021 | CVE Updated: 03/08/2024 | CVE Year: 2021
Source: GitHub_M | Vendor: dynamoose | Product: dynamoose
Status : PUBLISHED

---

CVE-2021-21304 Description

Dynamoose is an open-source modeling tool for Amazon\'s DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. There is no evidence this vulnerability impacts versions 1.x.x since the vulnerable method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. Version 2.7.0 includes a patch for this vulnerability.

Metrics

CVSS Version: 3.1 | Base Score: 7.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* LOW
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-915
CWE Name: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
Source: dynamoose

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).