CVE-2020-5258

CWE-94 — Code Injection CWE-1321 — Prototype Pollution CWE-7414 documents8 sources

Severity

7.5HIGH

EPSS

1.5%

top 18.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dojo Dojo Linuxfoundation Dojo Oracle Documaker +8 more

Timeline

PublishedMar 10

Latest updateJul 15

Description

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 1.3 | Impact: 5.8

Affected Packages12 packages

▶npmdojo1.12.0 — 1.12.8+5

▶CVEListV5dojo/dojo< 1.12.8+4

▶NVDlinuxfoundation/dojo1.12.0 — 1.12.8+5

▶Debiandojo< 1.15.3+dfsg1-1+3

▶NVDoracle/communications_application_session_controller3.9.0

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Prototype pollution in dojo↗2020-03-10

▶

OSV

CVE-2020-5258: In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution↗2020-03-10

▶

CVEList

Prototype pollution in dojo↗2020-03-10

▶

OSV

Prototype pollution in dojo↗2020-03-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Dojo) — CVE-2020-5258↗2022-07-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Samples (dojo) — CVE-2020-5258↗2022-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Policy (dojo) — CVE-2020-5258↗2021-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Server for PDC (dojo) — CVE-2020-5258↗2021-07-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Cluster: Packaging (dojo) — CVE-2020-5258↗2020-07-15

▶

💬Community

Bugzilla

CVE-2020-5258 dojo: Prototype pollution in deepCopy method could result in code injection↗2020-03-11

▶

Bugzilla

CVE-2020-5258 dojo: Prototype pollution in deepCopy method could result in code injection [epel-all]↗2020-03-11

▶