CVE-2020-5258 Information

Description

In affected versions of dojo (NPM package) the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes such as objects. An attacker manipulates these attributes to overwrite or pollute a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8 1.13.7 1.14.6 1.15.3 and 1.16.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html https://www.oracle.com/security-alerts/cpujul2020.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5