CVE-2020-5259

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CVSS v3 8.6 HIGH
CVSS v2.0 5.0 MEDIUM

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da	Patch
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw	Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*

History

No history.

Information

Published : 2020-03-10 18:15

Updated : 2023-12-10 13:13

NVD link : CVE-2020-5259

Mitre link : CVE-2020-5259

CVE.ORG link : CVE-2020-5259

JSON object : View

Products Affected

linuxfoundation

dojox

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2020-5259", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}]}, "published": "2020-03-10T18:15:12.203", "references": [{"url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}, {"lang": "es", "value": "En las versiones afectadas de dojox (paquete NPM), el m\u00e9todo jqMix es vulnerable a una Contaminaci\u00f3n de Prototipo. La Contaminaci\u00f3n de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. Un atacante manipula estos atributos para sobrescribir o contaminar un prototipo de objeto de la aplicaci\u00f3n JavaScript del objeto base mediante la inyecci\u00f3n de otros valores. Esto ha sido parcheado en las versiones 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 y 1.16.2"}], "lastModified": "2020-03-11T21:15:11.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8FE926F0-90A5-4A7D-9C47-15B5D220D9AD", "versionEndExcluding": "1.11.10"}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B998EEAA-ED31-4484-B7FE-D984B1ED0A07", "versionEndExcluding": "1.12.8", "versionStartIncluding": "1.12.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0A7B41CB-57BF-418C-B449-FFDA07D13BAB", "versionEndExcluding": "1.13.7", "versionStartIncluding": "1.13.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4273C6F4-9F0C-49D1-B18C-B333C767084A", "versionEndExcluding": "1.14.6", "versionStartIncluding": "1.14.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4869AB30-553C-44D1-A946-AB51D440D2F4", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.15.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CCC82759-D49E-4D83-A4C1-7C59BE897A32", "versionEndExcluding": "1.16.2", "versionStartIncluding": "1.16.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}