Candidate: CVE-2019-10746
PublicDate: 2019-08-23 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10746
 https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
 https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
 https://github.com/jonschlinkert/mixin-deep/issues/6
Description:
 mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2
 and version 2.0.0. The function mixin-deep could be tricked into adding or
 modifying properties of Object.prototype using a constructor payload.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932500
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_node-mixin-deep:
upstream_node-mixin-deep: released (2.0.1-1)
precise/esm_node-mixin-deep: DNE
trusty_node-mixin-deep: ignored (out of standard support)
trusty/esm_node-mixin-deep: DNE
xenial_node-mixin-deep: DNE
bionic_node-mixin-deep: needs-triage
disco_node-mixin-deep: ignored (reached end-of-life)
eoan_node-mixin-deep: not-affected (2.0.1-1)
focal_node-mixin-deep: not-affected (2.0.1-1)
groovy_node-mixin-deep: not-affected (2.0.1-1)
hirsute_node-mixin-deep: not-affected (2.0.1-1)
impish_node-mixin-deep: not-affected (2.0.1-1)
jammy_node-mixin-deep: not-affected (2.0.1-1)
devel_node-mixin-deep: not-affected (2.0.1-1)