GHSA-jxfh-8wgv-vfr2

Source

https://github.com/advisories/GHSA-jxfh-8wgv-vfr2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-jxfh-8wgv-vfr2/GHSA-jxfh-8wgv-vfr2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jxfh-8wgv-vfr2

Aliases

CVE-2020-5258

Related

Published

2020-03-10T18:03:14Z

Modified

2024-07-15T22:12:25.937611Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Prototype pollution in dojo

Details

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution.

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.

This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Database specific

{
    "nvd_published_at": "2020-03-10T18:15:00Z",
    "github_reviewed_at": "2020-03-10T18:02:00Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1321",
        "CWE-74",
        "CWE-94"
    ]
}

References