[Pkg-javascript-devel] Bug#953587: dojo: CVE-2020-5259
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 10 21:38:47 GMT 2020
Source: dojo
Version: 1.15.2+dfsg1-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for dojo.
CVE-2020-5259[0]:
| In affected versions of dojox (NPM package), the jqMix method is
| vulnerable to Prototype Pollution. Prototype Pollution refers to the
| ability to inject properties into existing JavaScript language
| construct prototypes, such as objects. An attacker manipulates these
| attributes to overwrite, or pollute, a JavaScript application object
| prototype of the base object by injecting other values. This has been
| patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-5259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259
[1] https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
[2] https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list