CVE-2020-5258
HIGH severity · CVSS 7.7 · Code injection
7.7CVSS HIGH
Summary
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredLow
User interactionRequired
Confidentiality impactHigh
Integrity impactHigh
Availability impactNone
Exploit probability (EPSS)4%
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d ↗
Additional information
- NVD record
- https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171dPatch
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch
- https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E
- https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E
- https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00012.htmlAdvisory
- https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2Advisory