Snyk Security Database

deephas is a package to test for existence of nested object key and optionally return that key.

Affected versions of this package are vulnerable to Prototype Pollution via the add and indexer functions. An attacker can modify global object behavior and inject arbitrary properties into Object.prototype by supplying specially crafted payloads such as constructor.prototype.polluted or __proto__.polluted. This can result in authentication bypass, denial of service, or remote code execution if polluted properties are used in sensitive operations.

dfir-unfurl is an Unfurl takes a URL and expands ("unfurls") it into a directed graph

Affected versions of this package are vulnerable to Active Debug Code due to improper parsing of the debug configuration value, which is always interpreted as truthy and enables the Werkzeug debugger regardless of intended settings. An attacker can gain access to sensitive information and potentially execute arbitrary code by accessing the exposed debugger interface if the service is accessible from outside the local environment.

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes by sending crafted requests with limited administrator privileges.

Note:

This is only exploitable if the attacker has a valid account on the realm, has view-users role and the target realm uses the User Profile feature with custom attributes set to restricted visibility.