CVE Vulnerability

CVE-2020-5258

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.7 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Patch Third Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00@%3Cusers.qpid.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b@%3Cusers.qpid.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3@%3Cusers.qpid.apache.org%3E Mailing List Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Configurations

Configuration 1

cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*
Information

Published : 2020-03-10 06:15

Updated : 2022-07-25 06:15

NVD link : CVE-2020-5258

Mitre link : CVE-2020-5258

Products Affected
No products.
CWE
CWE-94