Advisories » MGASA-2020-0230

Updated nodejs-set-value packages fix security vulnerability

Publication date: 27 May 2020
Modification date: 27 May 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-10747

Description

Updated nodejs-set-value package fixes security vulnerability:

A vulnerability was found in NOdejs set-value, where set-value is
vulnerable to prototype Pollution in versions lower than 3.0.1.
The function mixin-deep could be tricked into adding or modifying
properties of Object.prototype using any of the constructor,
prototype and _proto_ payloads (CVE-2019-10747).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26227
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747

SRPMS

7/core

• nodejs-set-value-3.0.2-1.mga7