CVE-2020-5259 - OpenCVE

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linuxfoundation	Dojox

Configuration 1 [-]

OR	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*
	cpe:2.3:a:linuxfoundation:dojox::::::node.js::*

No data.

References

Link	Providers
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-03-10T17:50:14

Updated: 2024-08-04T08:22:09.035Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5259

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-03-10T18:15:12.203

Modified: 2020-03-11T21:15:11.830

Link: CVE-2020-5259

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "dojox", "vendor": "dojo", "versions": [{"status": "affected", "version": "< 1.11.10"}, {"status": "affected", "version": ">= 1.12.0, < 1.12.8"}, {"status": "affected", "version": ">= 1.13.0, < 1.13.7"}, {"status": "affected", "version": ">= 1.14.0, < 1.14.6"}, {"status": "affected", "version": ">= 1.15.0, < 1.15.3"}, {"status": "affected", "version": ">= 1.16.0, < 1.16.2"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-11T20:06:02", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"name": "[debian-lts-announce] 20200311 [SECURITY] [DLA 2139-1] dojo security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}], "source": {"advisory": "GHSA-3hw5-q855-g6cw", "discovery": "UNKNOWN"}, "title": "Prototype Pollution in Dojox", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5259", "STATE": "PUBLIC", "TITLE": "Prototype Pollution in Dojox"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dojox", "version": {"version_data": [{"version_value": "< 1.11.10"}, {"version_value": ">= 1.12.0, < 1.12.8"}, {"version_value": ">= 1.13.0, < 1.13.7"}, {"version_value": ">= 1.14.0, < 1.14.6"}, {"version_value": ">= 1.15.0, < 1.15.3"}, {"version_value": ">= 1.16.0, < 1.16.2"}]}}]}, "vendor_name": "dojo"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw", "refsource": "CONFIRM", "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"name": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da", "refsource": "MISC", "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"name": "[debian-lts-announce] 20200311 [SECURITY] [DLA 2139-1] dojo security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}]}, "source": {"advisory": "GHSA-3hw5-q855-g6cw", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.035Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"name": "[debian-lts-announce] 20200311 [SECURITY] [DLA 2139-1] dojo security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5259", "datePublished": "2020-03-10T17:50:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.035Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8FE926F0-90A5-4A7D-9C47-15B5D220D9AD", "versionEndExcluding": "1.11.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B998EEAA-ED31-4484-B7FE-D984B1ED0A07", "versionEndExcluding": "1.12.8", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0A7B41CB-57BF-418C-B449-FFDA07D13BAB", "versionEndExcluding": "1.13.7", "versionStartIncluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4273C6F4-9F0C-49D1-B18C-B333C767084A", "versionEndExcluding": "1.14.6", "versionStartIncluding": "1.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4869AB30-553C-44D1-A946-AB51D440D2F4", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CCC82759-D49E-4D83-A4C1-7C59BE897A32", "versionEndExcluding": "1.16.2", "versionStartIncluding": "1.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"}, {"lang": "es", "value": "En las versiones afectadas de dojox (paquete NPM), el m\u00e9todo jqMix es vulnerable a una Contaminaci\u00f3n de Prototipo. La Contaminaci\u00f3n de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. Un atacante manipula estos atributos para sobrescribir o contaminar un prototipo de objeto de la aplicaci\u00f3n JavaScript del objeto base mediante la inyecci\u00f3n de otros valores. Esto ha sido parcheado en las versiones 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 y 1.16.2"}], "id": "CVE-2020-5259", "lastModified": "2020-03-11T21:15:11.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-03-10T18:15:12.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}