[Pkg-javascript-devel] Bug#976446: highlight.js: CVE-2020-26237
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 5 10:36:56 GMT 2020
Source: highlight.js
Version: 9.18.1+dfsg1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/highlightjs/highlight.js/pull/2636
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 9.12.0+dfsg1-4
Hi,
The following vulnerability was published for highlight.js.
CVE-2020-26237[0]:
| Highlight.js is a syntax highlighter written in JavaScript.
| Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to
| Prototype Pollution. A malicious HTML code block can be crafted that
| will result in prototype pollution of the base object's prototype
| during highlighting. If you allow users to insert custom HTML code
| blocks into your page/app via parsing Markdown code blocks (or
| similar) and do not filter the language names the user can provide you
| may be vulnerable. The pollution should just be harmless data but this
| can cause problems for applications not expecting these properties to
| exist and can result in strange behavior or application crashes, i.e.
| a potential DOS vector. If your website or application does not render
| user provided data it should be unaffected. Versions 9.18.2 and 10.1.2
| and newer include fixes for this vulnerability. If you are using
| version 7 or 8 you are encouraged to upgrade to a newer release.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26237
[1] https://github.com/highlightjs/highlight.js/pull/2636
[2] https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the Pkg-javascript-devel
mailing list