Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-5258

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Published

2020-03-10T18:15:12.123

Last Modified

2024-11-21T05:33:46.900

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.7 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-94
Type: Primary
CWE-1321

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linuxfoundation	dojo	< 1.11.10	Yes
Application	linuxfoundation	dojo	< 1.12.8	Yes
Application	linuxfoundation	dojo	< 1.13.7	Yes
Application	linuxfoundation	dojo	< 1.14.6	Yes
Application	linuxfoundation	dojo	< 1.15.3	Yes
Application	linuxfoundation	dojo	< 1.16.2	Yes
Operating System	debian	debian_linux	8.0	Yes
Application	oracle	communications_application_session_controller	3.9.0	Yes
Application	oracle	communications_policy_management	12.5.0	Yes
Application	oracle	communications_pricing_design_center	12.0.0.3.0	Yes
Application	oracle	documaker	≤ 12.6.4	Yes
Application	oracle	mysql	≤ 7.3.29	Yes
Application	oracle	mysql	≤ 7.4.28	Yes
Application	oracle	mysql	≤ 7.5.18	Yes
Application	oracle	mysql	≤ 7.6.14	Yes
Application	oracle	mysql	≤ 8.0.20	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	webcenter_sites	12.2.1.3.0	Yes
Application	oracle	webcenter_sites	12.2.1.4.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Patch, Third Party Advisory ([email protected])
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 Exploit, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html Mailing List, Third Party Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)