QwikSec

Security Database

CVE

CWE

Training

CVE-2021-21304

Published: Feb 8, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. There is no evidence this vulnerability impacts versions 1.x.x since the vulnerable method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. Version 2.7.0 includes a patch for this vulnerability.

Vendor	Product	Versions
dynamoose	dynamoose	affected `>= 2.0.0, < 2.7.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2

x_refsource_CONFIRM

https://github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e

x_refsource_MISC

https://github.com/dynamoose/dynamoose/releases/tag/v2.7.0

x_refsource_MISC

https://www.npmjs.com/package/dynamoose

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2021-21304 | HIGH (7.2) - Security Vulnerability | QwikSec