CVE-2020-5258
Summary
| CVE | CVE-2020-5258 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-10 18:15:00 UTC |
| Updated | 2023-11-07 03:23:00 UTC |
| Description | In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Application | Linuxfoundation | Dojo | All | All | All | All |
| Application | Linuxfoundation | Dojo | All | All | All | All |
| Application | Oracle | Communications Application Session Controller | 3.9.0 | All | All | All |
| Application | Oracle | Communications Policy Management | 12.5.0 | All | All | All |
| Application | Oracle | Communications Pricing Design Center | 12.0.0.3.0 | All | All | All |
| Application | Oracle | Documaker | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Primavera Unifier | 18.8 | All | All | All |
| Application | Oracle | Primavera Unifier | 19.12 | All | All | All |
| Application | Oracle | Primavera Unifier | 20.12 | All | All | All |
| Application | Oracle | Primavera Unifier | All | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Weblogic Server | 14.1.1.0.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| [SECURITY] [DLA 2139-1] dojo security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Prototype pollution · Advisory · dojo/dojo · GitHub | CONFIRM | github.com | Exploit, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| Merge pull request from GHSA-jxfh-8wgv-vfr2 · dojo/dojo@20a00af · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.