[Pkg-javascript-devel] Bug#953585: dojo: CVE-2020-5258
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 10 21:36:08 GMT 2020
Source: dojo
Version: 1.15.2+dfsg1-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for dojo.
CVE-2020-5258[0]:
| In affected versions of dojo (NPM package), the deepCopy method is
| vulnerable to Prototype Pollution. Prototype Pollution refers to the
| ability to inject properties into existing JavaScript language
| construct prototypes, such as objects. An attacker manipulates these
| attributes to overwrite, or pollute, a JavaScript application object
| prototype of the base object by injecting other values. This has been
| patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258
[1] https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
[2] https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list