Описание
Prototype Pollution in chartkick
Affected versions of @polymer/polymer are vulnerable to prototype pollution. The package fails to prevent modification of object prototypes through chart options containing a payload such as {"__proto__": {"polluted": true}}. It is possible to achieve the same results if a chart loads data from a malicious server.
Recommendation
Upgrade to version 3.2.0 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-18841
- https://github.com/ankane/chartkick.js/issues/117
- https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa
- https://chartkick.com
- https://github.com/ankane/chartkick/blob/master/CHANGELOG.md
- https://github.com/ankane/chartkick/commits/master
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/chartkick/CVE-2019-18841.yml
- https://rubygems.org/gems/chartkick
Пакеты
Наименование
chartkick
rubygems
Затронутые версииВерсия исправления
< 3.3.0
3.3.0
Наименование
chartkick
npm
Затронутые версииВерсия исправления
>= 3.1.0, <= 3.1.3
3.2.0
Связанные уязвимости
CVSS3: 7.3
ubuntu
около 6 лет назад
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.
CVSS3: 7.3
nvd
около 6 лет назад
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.
CVSS3: 7.3
debian
около 6 лет назад
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before ...