CVE-2020-5258 — HIGH (7.7) — White Hats Nepal

Q: How severe is CVE-2020-5258?

CVE-2020-5258 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-5258?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dojo, Debian Debian Linux, Oracle Communications Application Session Controller, Oracle Communications Policy Management, Oracle Communications Pricing Design Center.

Vulnerability Description

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Linuxfoundation	Dojo	< 1.11.10
Debian	Debian Linux	8.0
Oracle	Communications Application Session Controller	3.9.0
Oracle	Communications Policy Management	12.5.0
Oracle	Communications Pricing Design Center	12.0.0.3.0
Oracle	Documaker	>= 12.6.0, <= 12.6.4
Oracle	Mysql	>= 7.3.0, <= 7.3.29
Oracle	Primavera Unifier	>= 17.7, <= 17.12
Oracle	Webcenter Sites	12.2.1.3.0
Oracle	Weblogic Server	12.2.1.4.0

Related Weaknesses (CWE)

CWE-94 CWE-1321

References

https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171dPatchThird Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2ExploitThird Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.htmlMailing ListThird Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171dPatchThird Party Advisory
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2ExploitThird Party Advisory
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b

FAQ

What is CVE-2020-5258?

CVE-2020-5258 is a vulnerability with a CVSS score of 7.7 (HIGH). In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language c...

How severe is CVE-2020-5258?

CVE-2020-5258 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-5258?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dojo, Debian Debian Linux, Oracle Communications Application Session Controller, Oracle Communications Policy Management, Oracle Communications Pricing Design Center.