CPANSA-Ukigumo-Server-2020-7746-chartjs: Ukigumo-Server vulnerability
Publisher | giterlizzi | Document category | csaf_security_advisory |
---|---|---|---|
Initial release date | 2020-10-29T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
Current release date | 2020-10-29T00:00:00 | Build Date | |
Current version | 1 | Status | final |
CVSS v3.1 Base Score | 7.5 | Severity | High |
Original language | Language | en | |
Also referred to |
Vulnerability Description
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
Vulnerabilities
CVE-2020-7746
Vulnerability DescriptionThis affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
Weakness | CWE-1321 : Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
---|
Product status
Known affected
Product | Score | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ukigumo-Server greater than or equal 2.1.3 and less than or equal 2.1.5 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Ukigumo-Server-2020-7746-chartjs JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2020/cpansa-ukigumo-server-2020-7746-chartjs.json - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376 external
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376 - https://github.com/chartjs/Chart.js/pull/7920 external
https://github.com/chartjs/Chart.js/pull/7920 - https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716 external
https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716 - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375 external
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375 - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374 external
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374 - CVE-2020-7746 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2020-7746
Revision history
Version | Date of the revision | Summary of the revision |
---|---|---|
1 | Thu Oct 29 00:00:00 2020 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/