{"containers": {"cna": {"affected": [{"product": "highlight.js", "vendor": "highlightjs", "versions": [{"status": "affected", "version": "< 9.18.2"}, {"status": "affected", "version": ">= 10.0.0, < 10.1.2"}]}], "descriptions": [{"lang": "en", "value": "Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-471", "description": "CWE-471 Modification of Assumed-Immutable Data (MAID)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:16:25", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/highlightjs/highlight.js/pull/2636"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/highlight.js"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0"}, {"name": "[debian-lts-announce] 20201230 [SECURITY] [DLA 2511-1] highlight.js security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "source": {"advisory": "GHSA-vfrc-7r7c-w9mx", "discovery": "UNKNOWN"}, "title": "Prototype Pollution in highlight.js", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26237", "STATE": "PUBLIC", "TITLE": "Prototype Pollution in highlight.js"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "highlight.js", "version": {"version_data": [{"version_value": "< 9.18.2"}, {"version_value": ">= 10.0.0, < 10.1.2"}]}}]}, "vendor_name": "highlightjs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-471 Modification of Assumed-Immutable Data (MAID)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx", "refsource": "CONFIRM", "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx"}, {"name": "https://github.com/highlightjs/highlight.js/pull/2636", "refsource": "MISC", "url": "https://github.com/highlightjs/highlight.js/pull/2636"}, {"name": "https://www.npmjs.com/package/highlight.js", "refsource": "MISC", "url": "https://www.npmjs.com/package/highlight.js"}, {"name": "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0", "refsource": "MISC", "url": "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0"}, {"name": "[debian-lts-announce] 20201230 [SECURITY] [DLA 2511-1] highlight.js security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"advisory": "GHSA-vfrc-7r7c-w9mx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:03.046Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/highlightjs/highlight.js/pull/2636"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/highlight.js"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0"}, {"name": "[debian-lts-announce] 20201230 [SECURITY] [DLA 2511-1] highlight.js security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26237", "datePublished": "2020-11-24T23:00:21", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:03.046Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:highlightjs:highlight.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AF6D839E-1AC7-4F59-B516-69D5F8487ED4", "versionEndExcluding": "9.18.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:highlightjs:highlight.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EE56A922-F91D-4AD1-8C07-56B25BD9E32D", "versionEndExcluding": "10.1.2", "versionStartIncluding": "10.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B4888C7-3A68-4AAE-A3ED-8DD4E358BCA4", "versionEndIncluding": "8.0.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release."}, {"lang": "es", "value": "Highlight.js es un resaltador de sintaxis escrito en JavaScript.&#xa0;Highlight.js versiones anteriores a 9.18.2 y 10.1.2 son vulnerables a una Contaminaci\u00f3n de Prototipo. Un bloque de c\u00f3digo HTML malicioso puede ser dise\u00f1ado lo que resultar\u00e1 en la contaminaci\u00f3n del prototipo del prototipo del objeto base durante el resaltado.&#xa0;Si permite a usuarios insertar bloques de c\u00f3digo HTML personalizados en su p\u00e1gina y aplicaci\u00f3n por medio del an\u00e1lisis de bloques de c\u00f3digo Markdown (o similar) y no filtrar los nombres del idioma que el usuario puede proporcionar, puede ser vulnerable.&#xa0;La contaminaci\u00f3n deber\u00eda ser solo datos inofensivos, pero esto puede causar problemas para las aplicaciones que no esperan que se presenten estas propiedades y puede resultar en un comportamiento extra\u00f1o o fallos de la aplicaci\u00f3n, es decir, un vector de DOS potencial.&#xa0;Si su sitio web o aplicaci\u00f3n no proporciona los datos proporcionados por el usuario, no deber\u00eda estar afectado.&#xa0;Versiones 9.18.2 y 10.1.&#xa0;2 y m\u00e1s recientes incluyen correcciones para esta vulnerabilidad.&#xa0;Si est\u00e1 usando la versi\u00f3n 7 o 8, le recomendamos que actualice a una versi\u00f3n m\u00e1s reciente"}], "id": "CVE-2020-26237", "lastModified": "2022-10-19T13:49:21.293", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-11-24T23:15:11.223", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/highlightjs/highlight.js/pull/2636"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/package/highlight.js"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-471"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3917", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-rhel8:v3.6.0-62", "product_name": "Red Hat Quay 3", "release_date": "2021-10-19T00:00:00Z"}], "bugzilla": {"description": "nodejs-highlight-js: prototype pollution via a crafted HTML code block", "id": "1901662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901662"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.", "A flaw was found in nodejs-highlight-js. Highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting."], "name": "CVE-2020-26237", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}], "public_date": "2020-11-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26237\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26237\nhttps://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx"], "statement": "In Red Hat Virtualization, ovirt-engine-api-explorer uses a vulnerable version of highlight.js, however since release 4.4.3 ovirt-engine-api-explorer is obsoleted and no longer used.", "threat_severity": "Moderate", "upstream_fix": "highlight.js 9.18.2, highlight.js 10.1.2"}