Security Advisory

CVE-2021-23438

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-09-01 18:20:11
Last updated 2024-09-16 17:52:46
Assigner snyk
State PUBLISHED

Description

This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is [__proto__]. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.