NVD Vulnerability Detail

CVE-2021-21304

Summary	Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. There is no evidence this vulnerability impacts versions 1.x.x since the vulnerable method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. Version 2.7.0 includes a patch for this vulnerability.
Publication Date	Feb. 9, 2021, 3:15 a.m.
Registration Date	Feb. 9, 2021, 10:01 a.m.
Last Update	Nov. 21, 2024, 2:47 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:dynamoosejs:dynamoose::::::node.js::*		2.0.0			2.7.0

Related information, measures and tools

No	URL	タグ
1	https://github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e	Patch Third Party Advisory
2	https://github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e	Patch Third Party Advisory
3	https://github.com/dynamoose/dynamoose/releases/tag/v2.7.0	Release Notes Third Party Advisory
4	https://github.com/dynamoose/dynamoose/releases/tag/v2.7.0	Release Notes Third Party Advisory
5	https://github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2	Patch Third Party Advisory
6	https://github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2	Patch Third Party Advisory
7	https://www.npmjs.com/package/dynamoose	Product Third Party Advisory
8	https://www.npmjs.com/package/dynamoose	Product Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-1321	オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	https://cwe.mitre.org/data/definitions/1321.html

JVN Vulnerability Information

Dynamoose における動的に決定されたオブジェクト属性の不適切に制御された変更に関する脆弱性

Title	Dynamoose における動的に決定されたオブジェクト属性の不適切に制御された変更に関する脆弱性
Summary	Dynamoose には、動的に決定されたオブジェクト属性の不適切に制御された変更に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 6, 2021, midnight
Registration Date	Oct. 29, 2021, 5:47 p.m.
Last Update	Oct. 29, 2021, 5:47 p.m.

Affected System

DynamooseJS

Dynamoose 2.0.0 以上 2.7.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-21304	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21304
National Vulnerability Database (NVD)
2	CVE-2021-21304	https://nvd.nist.gov/vuln/detail/CVE-2021-21304

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-915	https://cwe.mitre.org/data/definitions/915.html

ベンダー情報

No	Name	URL
GitHub
1	Merge pull request from GHSA-rrqm-p222-8ph2	https://github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e
2	Prototype Pollution	https://github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2
3	v2.7.0	https://github.com/dynamoose/dynamoose/releases/tag/v2.7.0
npm
4	dynamoose	https://www.npmjs.com/package/dynamoose

Change Log

No	Changed Details	Date of change
1	[2021年10月29日] 掲載	Oct. 29, 2021, 5:47 p.m.