Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2020-5258
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2.
CVSSv2.0 Score
- Severity
- Medium
- Base Score
- 5/10
- Exploit Score
- 10/10
- Access Vector
- Network
- Access Complexity
- Low
- Authentication Required
- None
- Impact Score
- 2.9/10
- Confidentiality Impact
- None
- Availability Impact
- None
- Integrity Impact
- Partial
CVSSv3.1 Score
- Severity
- High
- Base Score
- 7.7/10
- Exploit Score
- 1.3/10
- Access Vector
- Network
- Access Complexity
- High
- Privileges Required
- Low
- Impact Score
- 5.8/10
- Confidentiality Impact
- High
- Availability Impact
- None
- Integrity Impact
- High
- Scope
- Changed
- User Interaction
- Required
Products Affected
CPE | Affected | Vulnerable | Excluding | Edit |
---|---|---|---|---|
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:* |
Yes
|
1.13.0 | 1.13.7 | |
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:* |
Yes
|
1.14.0 | 1.14.6 | |
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:* |
Yes
|
1.15.0 | 1.15.3 | |
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:* |
Yes
|
1.16.0 | 1.16.2 | |
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:* |
Yes
|
- | 1.11.10 | |
cpe:2.3:a:linuxfoundation:dojo:*:*:*:*:*:node.js:*:* |
Yes
|
1.12.0 | 1.12.8 | |
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* |
Yes
|
17.7 | - | |
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
Yes
|
8.0.0 | - | |
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
Yes
|
7.6.0 | - | |
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
Yes
|
7.5.0 | - | |
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
Yes
|
7.4.0 | - | |
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* |
Yes
|
7.3.0 | - | |
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0 |
Yes
|
- | - | |
cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:* |
Yes
|
12.6.0 | - | |
cpe:2.3:a:oracle:communications_application_session_controll |
Yes
|
- | - |
References
- https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
- https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
- https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806
- https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78ea
- https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df