CVE-2021-21304: Amazon vulnerability

Dynamoose is an open-source modeling tool for Amazon’s DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method “lib/utils/object/set.ts”. This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. There is no evidence this vulnerability impacts versions 1.x.x since the vulnerable method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. Version 2.7.0 includes a patch for this vulnerability.

How to mitigate CVE-2021-21304

Time needed: 5 minutes.

Follow the instructions, as they will assist you in mitigating the Amazon vulnerability that been reported in CVE-2021-21304.

  1. Install the latest version of Amazon

    Navigate to the official Amazon website and download the latest version of Amazon. The latest version contains the CVE-2021-21304 fix.
    Update to the latest version

  2. Perform a vulnerability assessment

    Perform a scan on your Amazon environment(s), and check for vulnerabilities. Verify if CVE-2021-21304 has been mitigated.

  3. Utilize the references

    The CVE-2021-21304 references have been provided for a reason. Utilize these references and make sure that you are correctly informed.

References

  • github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2
  • github.com/dynamoose/dynamoose/security/advisories/GHSA-rrqm-p222-8ph2
  • github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e
  • github.com/dynamoose/dynamoose/commit/324c62b4709204955931a187362f8999805b1d8e
  • github.com/dynamoose/dynamoose/releases/tag/v2.7.0
  • github.com/dynamoose/dynamoose/releases/tag/v2.7.0
  • www.npmjs.com/package/dynamoose
  • www.npmjs.com/package/dynamoose
  • Share this information