Detections
Analytics

Debian dla-3291 : node-object-path - security update

critical Nessus Plugin ID 170884

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3291 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3291-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin January 29, 2023 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : node-object-path Version : 0.11.4-2+deb10u2 CVE ID : CVE-2021-3805 CVE-2021-23434

 It was discovered that node-object-path, a Node.js module to access deep object properties using dot-separated paths, was vulnerable to prototype pollution.

 CVE-2021-3805

 Prototype pollution vulnerability in the `del()`, `empty()`, `push()` and `insert()` functions when using the inherited props mode (e.g. when a new `object-path` instance is created with the `includeInheritedProps` option set to `true` or when using the `withInheritedProps` default instance).

 CVE-2021-23434

 A type confusion vulnerability can lead to a bypass of the CVE-2020-15256 fix when the path components used in the path parameter are arrays, because the === operator returns always false when the type of the operands is different.

 For Debian 10 buster, these problems have been fixed in version 0.11.4-2+deb10u2.

 We recommend that you upgrade your node-object-path packages.

 For the detailed security status of node-object-path please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/node-object-path

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the node-object-path packages.

See Also

http://www.nessus.org/u?d109f415

https://security-tracker.debian.org/tracker/CVE-2020-15256

https://security-tracker.debian.org/tracker/CVE-2021-23434

https://security-tracker.debian.org/tracker/CVE-2021-3805

https://packages.debian.org/source/buster/node-object-path

Plugin Details

Severity: Critical

ID: 170884

File Name: debian_DLA-3291.nasl

Version: 1.2

Type: local

Agent: unix

Published: 1/31/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-23434

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-15256

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:node-object-path

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/29/2023

Vulnerability Publication Date: 10/19/2020

Reference Information

CVE: CVE-2020-15256, CVE-2021-23434, CVE-2021-3805