CVE-2021-4264: LinkedIn dustjs prototype pollution
First published: Wed Dec 21 2022(Updated: )
A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464.
Credit: cna@vuldb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
| IBM Watson Query with Cloud Pak for Data | <=2.2 | |
| IBM Watson Query with Cloud Pak for Data | <=2.1 | |
| IBM Watson Query with Cloud Pak for Data | <=2.0 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.7 | |
| Dust.js | <3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/linkedin/dustjs/commit/ddb6523832465d38c9d80189e9de60519ac307c3
- https://github.com/linkedin/dustjs/issues/804
- https://github.com/linkedin/dustjs/pull/805
- https://github.com/linkedin/dustjs/releases/tag/v3.0.0
- https://vuldb.com/?ctiid.216464
- https://vuldb.com/?id.216464
- https://www.ibm.com/support/pages/node/7183851 (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-4264.
What is the severity of CVE-2021-4264?
The severity of CVE-2021-4264 is high.
What is the affected software of CVE-2021-4264?
The affected software of CVE-2021-4264 is LinkedIn dustjs up to version 2.x.
What is the type of vulnerability in CVE-2021-4264?
The type of vulnerability in CVE-2021-4264 is prototype pollution.
How can I fix CVE-2021-4264?
To fix CVE-2021-4264, it is recommended to update to a version higher than 3.0.0 of LinkedIn dustjs.
- agent/type
- agent/remedy
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/author
- agent/source
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- collector/nvd-api
- source/NVD
- vendor/ibm
- canonical/ibm data virtualization on cloud pak for data
- version/ibm data virtualization on cloud pak for data/3.0
- canonical/ibm watson query with cloud pak for data
- version/ibm watson query with cloud pak for data/2.2
- version/ibm watson query with cloud pak for data/2.1
- version/ibm watson query with cloud pak for data/2.0
- version/ibm data virtualization on cloud pak for data/1.8
- version/ibm data virtualization on cloud pak for data/1.7
- vendor/linkedin
- canonical/dust.js