mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-07-29 05:56:17 +00:00
182 lines
6.3 KiB
JSON
182 lines
6.3 KiB
JSON
{
|
|
"id": "CVE-2020-5259",
|
|
"sourceIdentifier": "security-advisories@github.com",
|
|
"published": "2020-03-10T18:15:12.203",
|
|
"lastModified": "2020-03-11T21:15:11.830",
|
|
"vulnStatus": "Modified",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2"
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "En las versiones afectadas de dojox (paquete NPM), el m\u00e9todo jqMix es vulnerable a una Contaminaci\u00f3n de Prototipo. La Contaminaci\u00f3n de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. Un atacante manipula estos atributos para sobrescribir o contaminar un prototipo de objeto de la aplicaci\u00f3n JavaScript del objeto base mediante la inyecci\u00f3n de otros valores. Esto ha sido parcheado en las versiones 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 y 1.16.2"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 8.6,
|
|
"baseSeverity": "HIGH"
|
|
},
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 4.0
|
|
},
|
|
{
|
|
"source": "security-advisories@github.com",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "HIGH",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "REQUIRED",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 7.7,
|
|
"baseSeverity": "HIGH"
|
|
},
|
|
"exploitabilityScore": 1.3,
|
|
"impactScore": 5.8
|
|
}
|
|
],
|
|
"cvssMetricV2": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "2.0",
|
|
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
|
"accessVector": "NETWORK",
|
|
"accessComplexity": "LOW",
|
|
"authentication": "NONE",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "PARTIAL",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 5.0
|
|
},
|
|
"baseSeverity": "MEDIUM",
|
|
"exploitabilityScore": 10.0,
|
|
"impactScore": 2.9,
|
|
"acInsufInfo": false,
|
|
"obtainAllPrivilege": false,
|
|
"obtainUserPrivilege": false,
|
|
"obtainOtherPrivilege": false,
|
|
"userInteractionRequired": false
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-74"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"source": "security-advisories@github.com",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-94"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*",
|
|
"versionEndExcluding": "1.11.10",
|
|
"matchCriteriaId": "8FE926F0-90A5-4A7D-9C47-15B5D220D9AD"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*",
|
|
"versionStartIncluding": "1.12.0",
|
|
"versionEndExcluding": "1.12.8",
|
|
"matchCriteriaId": "B998EEAA-ED31-4484-B7FE-D984B1ED0A07"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*",
|
|
"versionStartIncluding": "1.13.0",
|
|
"versionEndExcluding": "1.13.7",
|
|
"matchCriteriaId": "0A7B41CB-57BF-418C-B449-FFDA07D13BAB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*",
|
|
"versionStartIncluding": "1.14.0",
|
|
"versionEndExcluding": "1.14.6",
|
|
"matchCriteriaId": "4273C6F4-9F0C-49D1-B18C-B333C767084A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*",
|
|
"versionStartIncluding": "1.15.0",
|
|
"versionEndExcluding": "1.15.3",
|
|
"matchCriteriaId": "4869AB30-553C-44D1-A946-AB51D440D2F4"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:linuxfoundation:dojox:*:*:*:*:*:node.js:*:*",
|
|
"versionStartIncluding": "1.16.0",
|
|
"versionEndExcluding": "1.16.2",
|
|
"matchCriteriaId": "CCC82759-D49E-4D83-A4C1-7C59BE897A32"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da",
|
|
"source": "security-advisories@github.com",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw",
|
|
"source": "security-advisories@github.com",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html",
|
|
"source": "security-advisories@github.com"
|
|
}
|
|
]
|
|
} |