Lucene search

[email protected]NVD:CVE-2020-5258

HistoryMar 10, 2020 - 6:15 p.m.

CVE-2020-5258

2020-03-1018:15:12

CWE-94

CWE-1321

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

8.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.0%

JSON

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Affected configurations

NVD

Node

linuxfoundationdojoRange<1.11.10node.js

linuxfoundationdojoRange1.12.0–1.12.8node.js

linuxfoundationdojoRange1.13.0–1.13.7node.js

linuxfoundationdojoRange1.14.0–1.14.6node.js

linuxfoundationdojoRange1.15.0–1.15.3node.js

linuxfoundationdojoRange1.16.0–1.16.2node.js

Node

debiandebian_linuxMatch8.0

Node

oraclecommunications_application_session_controllerMatch3.9.0

oraclecommunications_policy_managementMatch12.5.0

oraclecommunications_pricing_design_centerMatch12.0.0.3.0

oracledocumakerRange12.6.0–12.6.4

oraclemysqlRange7.3.0–7.3.29

oraclemysqlRange7.4.0–7.4.28

oraclemysqlRange7.5.0–7.5.18

oraclemysqlRange7.6.0–7.6.14

oraclemysqlRange8.0.0–8.0.20

oracleprimavera_unifierRange17.7–17.12

oracleprimavera_unifierMatch18.8

oracleprimavera_unifierMatch19.12

oracleprimavera_unifierMatch20.12

oraclewebcenter_sitesMatch12.2.1.3.0

oraclewebcenter_sitesMatch12.2.1.4.0

oracleweblogic_serverMatch12.2.1.4.0

oracleweblogic_serverMatch14.1.1.0.0

References

github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d

github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2

lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E

lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E

lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E

lists.debian.org/debian-lts-announce/2020/03/msg00012.html

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpujul2022.html

www.oracle.com/security-alerts/cpuoct2021.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

8.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.0%

JSON

Related for NVD:CVE-2020-5258

ubuntucve1 ibm69 osv3 prion1 redhatcve1 debiancve1 github1 veracode1 githubexploit1 cve1 cvelist1 nessus6 openvas2 mageia1 debian1 oracle5