{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21489", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.118Z", "datePublished": "2024-10-01T05:00:02.644Z", "dateUpdated": "2024-10-07T14:08:35.115Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P"}}], "credits": [{"value": "Tariq Hawis", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "Prototype Pollution", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-10-01T05:00:02.644Z"}, "descriptions": [{"value": "Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224"}, {"url": "https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452"}, {"url": "https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983"}], "affected": [{"product": "uplot", "versions": [{"version": "0", "lessThan": "1.6.31", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"affected": [{"vendor": "leeoniya", "product": "uplot", "cpes": ["cpe:2.3:a:leeoniya:uplot:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.31", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T13:53:45.563874Z", "id": "CVE-2024-21489", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-07T14:08:35.115Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21489", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-01T13:53:45.563874Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:leeoniya:uplot:*:*:*:*:*:*:*:*"], "vendor": "leeoniya", "product": "uplot", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.31", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T13:55:39.909Z"}}], "cna": {"credits": [{"lang": "en", "value": "Tariq Hawis"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "uplot", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.31", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224"}, {"url": "https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452"}, {"url": "https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983"}], "descriptions": [{"lang": "en", "value": "Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1321", "description": "Prototype Pollution"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-10-01T05:00:02.644Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21489", "state": "PUBLISHED", "dateUpdated": "2024-10-07T14:08:35.115Z", "dateReserved": "2023-12-22T12:33:20.118Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-10-01T05:00:02.644Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype."}, {"lang": "es", "value": "Las versiones del paquete uplot anteriores a 1.6.31 son vulnerables a la contaminaci\u00f3n de prototipos a trav\u00e9s de la funci\u00f3n uplot.assign debido a la falta de verificaci\u00f3n de si el atributo se resuelve en el prototipo del objeto."}], "id": "CVE-2024-21489", "lastModified": "2024-10-04T13:51:25.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-10-01T05:15:12.227", "references": [{"source": "report@snyk.io", "url": "https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452"}, {"source": "report@snyk.io", "url": "https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8083", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "grafana-0:7.3.6-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8083", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "grafana-0:7.3.6-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8083", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "grafana-0:7.3.6-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-14T00:00:00Z"}], "bugzilla": {"description": "uplot: Prototype Pollution in uplot", "id": "2315838", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315838"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "status": "verified"}, "cwe": "CWE-1321", "details": ["Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.", "A flaw was found in uPlot. This vulnerability allows prototype pollution via the uplot.assign function due to missing checks for attributes that resolve to the object prototype."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-21489", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-01T05:15:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21489\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21489\nhttps://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js%23L437-L452\nhttps://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983\nhttps://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224"], "statement": "Grafana is not impacted by this CVE, as the vulnerable `uplot.assign` function is not utilized in Grafana on Red Hat Enterprise Linux. Only RHEL-8.4.z having the issue.", "threat_severity": "Important"}