CVE-2020-5258 Prototype pollution in dojo

2020-03-1017:50:20

CWE-94

GitHub_M

www.cve.org

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

7.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.0%

JSON

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CNA Affected

[
  {
    "product": "dojo",
    "vendor": "dojo",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.12.8"
      },
      {
        "status": "affected",
        "version": ">= 1.13.0, < 1.13.7"
      },
      {
        "status": "affected",
        "version": ">= 1.14.0, < 1.14.6"
      },
      {
        "status": "affected",
        "version": ">= 1.15.0, < 1.15.3"
      },
      {
        "status": "affected",
        "version": ">= 1.16.0, < 1.16.2"
      }
    ]
  }
]