CVE-2020-5258

HIGH

Linuxfoundation Dojo < 1.11.10 - Code Injection

Title source: rule
STIX 2.1

Description

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

References (11)

Core 11
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 7.7
EPSS 0.0154
EPSS Percentile 81.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-94 CWE-1321
Status published
Products (16)
debian/debian_linux 8.0
linuxfoundation/dojo < 1.11.10
npm/dojo 0 - 1.11.10npm
oracle/communications_application_session_controller 3.9.0
oracle/communications_policy_management 12.5.0
oracle/communications_pricing_design_center 12.0.0.3.0
oracle/documaker 12.6.0 - 12.6.4
oracle/mysql 7.3.0 - 7.3.29
oracle/primavera_unifier 18.8
oracle/primavera_unifier 19.12
... and 6 more
Published Mar 10, 2020
Tracked Since Feb 18, 2026