GHSA-fhv8-fx5f-7fxf

Source

https://github.com/advisories/GHSA-fhv8-fx5f-7fxf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-fhv8-fx5f-7fxf/GHSA-fhv8-fx5f-7fxf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fhv8-fx5f-7fxf

Aliases

CVE-2021-39227

Related

CVE-2021-39227

Published

2021-09-20T19:53:15Z

Modified

2024-12-06T18:20:49Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Prototype Pollution in the merge and clone helper methods

Details

Impact

Using merge and clone helper methods in the src/core/util.ts module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.

Patches

It has been patched in https://github.com/ecomfe/zrender/pull/826. Users should update zrender to 5.2.1. and update echarts to 5.2.1 if project is using echarts.

References

For more information

Database specific

{
    "github_reviewed_at": "2021-09-17T17:51:46Z",
    "cwe_ids": [
        "CWE-1321",
        "CWE-915"
    ],
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / zrender

Package

Name: zrender; View open source insights on deps.dev
Purl: pkg:npm/zrender

Affected ranges

Type: SEMVER
Events: Introduced

5.0.0

Fixed

5.2.1

npm / zrender

Package

Name: zrender; View open source insights on deps.dev
Purl: pkg:npm/zrender

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.3

Database specific

{
    "last_known_affected_version_range": "<= 4.3.2"
}