VIR Vulnerability Intelligence Relay

CVE-2017-1000048

high
Published 2017-07-17 · Modified 2023-11-08
CVSS v3
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v2
5.0
VIR risk
7.5

Description

Prototype Pollution Protection Bypass in qs

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Package impact
EcosystemPackageVulnerableFixed
npm npmqs<6.0.46.0.4
npm npmqs>=6.1.0,<6.1.26.1.2
npm npmqs>=6.2.0,<6.2.36.2.3
npm npmqs>=6.3.0,<6.3.26.3.2

Application impact
VendorProductVersionsFixed
qs_projectqs1.0.0
qs_projectqs1.0.1
qs_projectqs1.0.2
qs_projectqs1.1.0
qs_projectqs1.2.0
qs_projectqs1.2.1
qs_projectqs2.3.1
qs_projectqs2.3.2
qs_projectqs2.3.3
qs_projectqs2.4.0
qs_projectqs2.4.1
qs_projectqs2.4.2
qs_projectqs3.0.0
qs_projectqs3.1.0
qs_projectqs4.0.0
qs_projectqs5.0.0
qs_projectqs5.1.0
qs_projectqs5.2.0
qs_projectqs5.2.1
qs_projectqs6.0.0
qs_projectqs6.0.1
qs_projectqs6.0.2
qs_projectqs6.0.3
qs_projectqs6.1.0
qs_projectqs6.1.1
qs_projectqs6.2.0
qs_projectqs6.2.1
qs_projectqs6.2.2
qs_projectqs6.3.0
qs_projectqs6.3.1

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.