Vulnerability Description
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Baidu | Zrender | < 5.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/ecomfe/zrender/pull/826PatchThird Party Advisory
- https://github.com/ecomfe/zrender/releases/tag/5.2.1Release NotesThird Party Advisory
- https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxfThird Party Advisory
- https://github.com/ecomfe/zrender/pull/826PatchThird Party Advisory
- https://github.com/ecomfe/zrender/releases/tag/5.2.1Release NotesThird Party Advisory
- https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxfThird Party Advisory
FAQ
What is CVE-2021-39227?
CVE-2021-39227 is a vulnerability with a CVSS score of 6.2 (MEDIUM). ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototyp...
How severe is CVE-2021-39227?
CVE-2021-39227 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39227?
Check the references section above for vendor advisories and patch information. Affected products include: Baidu Zrender.