exploitDog

CVE-2020-5258

Опубликовано: 10 мар. 2020

Источник: nvd

CVSS3: 7.7

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

Ссылки

https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
Patch
Third Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
Exploit
Third Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
Mailing List
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
Patch
Third Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
Exploit
Third Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
Mailing List
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*

Версия до 1.11.10 (исключая)

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*

Версия от 1.12.0 (включая) до 1.12.8 (исключая)

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*

Версия от 1.13.0 (включая) до 1.13.7 (исключая)

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*

Версия от 1.14.0 (включая) до 1.14.6 (исключая)

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*

Версия от 1.15.0 (включая) до 1.15.3 (исключая)

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*

Версия от 1.16.0 (включая) до 1.16.2 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*

Версия от 12.6.0 (включая) до 12.6.4 (включая)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Версия от 7.3.0 (включая) до 7.3.29 (включая)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Версия от 7.4.0 (включая) до 7.4.28 (включая)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Версия от 7.5.0 (включая) до 7.5.18 (включая)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Версия от 7.6.0 (включая) до 7.6.14 (включая)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*

Версия от 8.0.0 (включая) до 8.0.20 (включая)

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*

Версия от 17.7 (включая) до 17.12 (включая)

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 83%

0.01992

Низкий

7.7 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-94

CWE-1321

Связанные уязвимости

CVE-2020-5258

CVSS3: 7.7

ubuntu

почти 6 лет назад

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CVE-2020-5258

CVSS3: 3.7

redhat

почти 6 лет назад

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CVE-2020-5258

CVSS3: 7.7

debian

почти 6 лет назад

In affected versions of dojo (NPM package), the deepCopy method is vul ...

GHSA-jxfh-8wgv-vfr2

CVSS3: 7.7

github

почти 6 лет назад

Prototype pollution in dojo

BDU:2020-03535

CVSS3: 5.3

fstec

почти 6 лет назад

Уязвимость компонента Cluster: Packaging (dojo) системы управления базами данных Oracle MySQL Cluster, позволяющая нарушителю нарушить целостность данных

EPSS

Процентиль: 83%

0.01992

Низкий

7.7 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-94

CWE-1321