[Pkg-javascript-devel] Bug#976446: highlight.js: CVE-2020-26237

Salvatore Bonaccorso carnil at debian.org
Sat Dec 5 10:36:56 GMT 2020 

Source: highlight.js
Version: 9.18.1+dfsg1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/highlightjs/highlight.js/pull/2636
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 9.12.0+dfsg1-4

Hi,

The following vulnerability was published for highlight.js.

CVE-2020-26237[0]:
| Highlight.js is a syntax highlighter written in JavaScript.
| Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to
| Prototype Pollution. A malicious HTML code block can be crafted that
| will result in prototype pollution of the base object's prototype
| during highlighting. If you allow users to insert custom HTML code
| blocks into your page/app via parsing Markdown code blocks (or
| similar) and do not filter the language names the user can provide you
| may be vulnerable. The pollution should just be harmless data but this
| can cause problems for applications not expecting these properties to
| exist and can result in strange behavior or application crashes, i.e.
| a potential DOS vector. If your website or application does not render
| user provided data it should be unaffected. Versions 9.18.2 and 10.1.2
| and newer include fixes for this vulnerability. If you are using
| version 7 or 8 you are encouraged to upgrade to a newer release.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-26237
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26237
[1] https://github.com/highlightjs/highlight.js/pull/2636
[2] https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-javascript-devel mailing list