CVE-2019-20149
First published: Mon Dec 30 2019(Updated: )
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/kind-of | >=6.0.0<6.0.3 | 6.0.3 |
| IBM EWM | <=7.0.2 | |
| IBM EWM | <=7.0.1 | |
| IBM RTC | <=6.0.2 | |
| IBM RTC | <=6.0.6.1 | |
| IBM EWM | <=7.0 | |
| IBM RTC | <=6.0.6 | |
| IBM RELM | <=6.0.6.1 | |
| IBM ENI | <=7.0.1 | |
| IBM RELM | <=6.0.6 | |
| IBM ENI | <=7.0 | |
| IBM RELM | <=6.0.2 | |
| IBM ENI | <=7.0.2 | |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All | |
| Kind-of Project Kind-of | =6.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jonschlinkert/kind-of/issues/30
- https://github.com/jonschlinkert/kind-of/pull/31
- https://nvd.nist.gov/vuln/detail/CVE-2019-20149
- https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b
- https://snyk.io/vuln/SNYK-JS-KINDOF-537849
- https://www.npmjs.com/advisories/1490
- https://github.com/advisories/GHSA-6c8f-qphg-qjgp (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/173669
- https://www.ibm.com/support/pages/node/6437579 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2019-20149.
What is the severity of CVE-2019-20149?
The severity of CVE-2019-20149 is high (7.5).
Which software products are affected by CVE-2019-20149?
IBM EWM versions up to 7.0.2, IBM EWM versions up to 7.0.1, IBM RTC versions up to 6.0.2, IBM RTC versions up to 6.0.6.1, IBM RTC versions up to 6.0.6, IBM RELM versions up to 6.0.6.1, IBM RELM versions up to 6.0.6, IBM ENI versions up to 7.0.1, IBM ENI versions up to 7.0.2, and IBM Engineering Requirements Quality Assistant On-Premises (all versions) are affected.
How can a remote attacker exploit this vulnerability?
A remote attacker can exploit CVE-2019-20149 by sending a specially-crafted payload to overwrite the builtin attribute and manipulate the type detection.
Are there any references for CVE-2019-20149?
Yes, you can find references for CVE-2019-20149 at the following links: [GitHub Issue](https://github.com/jonschlinkert/kind-of/issues/30), [GitHub Pull Request](https://github.com/jonschlinkert/kind-of/pull/31), and [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/vulnerabilities/173669).
- collector/github-advisory-latest
- alias/GHSA-6c8f-qphg-qjgp
- alias/CVE-2019-20149
- collector/github-advisory
- agent/author
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/references
- agent/severity
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/npm
- vendor/ibm
- canonical/ibm ewm
- version/ibm ewm/7.0.2
- version/ibm ewm/7.0.1
- canonical/ibm rtc
- version/ibm rtc/6.0.2
- version/ibm rtc/6.0.6.1
- version/ibm ewm/7.0
- version/ibm rtc/6.0.6
- canonical/ibm relm
- version/ibm relm/6.0.6.1
- canonical/ibm eni
- version/ibm eni/7.0.1
- version/ibm relm/6.0.6
- version/ibm eni/7.0
- version/ibm relm/6.0.2
- version/ibm eni/7.0.2
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all
- vendor/kind-of project
- canonical/kind-of project kind-of
- version/kind-of project kind-of/6.0.2