CVE-2020-28458 — Prototype Pollution in Datatables.net

CWE-1321 — Prototype Pollution CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

7.3HIGHNVD

EPSS

1.2%

top 20.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Datatables Datatables.net Msrc Cbl2 Reaper 3.1.1-15 ON CBL Mariner 2.0 Msrc Cbl2 Reaper 3.1.1-18 ON CBL Mariner 2.0 +2 more

Timeline

PublishedDec 16

Latest updateDec 17

Description

All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages7 packages

▶CVEListV5datatables/datatables.net< unspecified

▶NVDdatatables/datatables.net< 1.10.23

▶npmdatatables/datatables.net< 1.10.22

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

datatables.net vulnerable to Prototype Pollution due to incomplete fix↗2020-12-17

▶

OSV

datatables.net vulnerable to Prototype Pollution due to incomplete fix↗2020-12-17

▶

📋Vendor Advisories

Microsoft

All versions of package datatables.net are vulnerable to Prototype Pollution↗2020-12-08

▶

Red Hat

datatables.net: prototype pollution if 'constructor' were used in a data property name↗2020-10-25

▶