admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-07 03:02:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2021-39227 for GHSA-fhv8-fx5f-7fxf

Browse Source 
Add CVE-2021-39227 for GHSA-fhv8-fx5f-7fxf
This commit is contained in:
advisory-db[bot] 2021-09-17 14:07:08 +00:00 committed by GitHub
parent 467d7b69c8
commit 9cb43bbb5e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 81 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
2021/39xxx/CVE-2021-39227.json
View File

@ -1,18 +1,93 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39227",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Fix prototype pollution in the zrender merge and clone helper methods"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "zrender",
"version": {
"version_data": [
{
"version_value": "< 5.2.1"
}
]
}
}
]
},
"vendor_name": "ecomfe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf",
"refsource": "CONFIRM",
"url": "https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf"
},
{
"name": "https://github.com/ecomfe/zrender/pull/826",
"refsource": "MISC",
"url": "https://github.com/ecomfe/zrender/pull/826"
},
{
"name": "https://github.com/ecomfe/zrender/releases/tag/5.2.1",
"refsource": "MISC",
"url": "https://github.com/ecomfe/zrender/releases/tag/5.2.1"
}
]
},
"source": {
"advisory": "GHSA-fhv8-fx5f-7fxf",
"discovery": "UNKNOWN"
}
}