CVE-2020-5258

Description

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2

How to fix CVE-2020-5258

To remediate CVE-2020-5258, upgrade the affected package to a fixed version below.

• —upgrade to 1.15.3+dfsg1-1 or later
• —upgrade to 1.10.2+dfsg-1+deb8u3 or later
• —upgrade to 1.11.10 or later

Is CVE-2020-5258 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 1.15.3+dfsg1-1
• from 0, < 1.10.2+dfsg-1+deb8u3
• from 0, < 1.11.10

CVSS scores

References (14)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5258
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-5258
• PATCHgithub.com/dojo/dojo
• WEBgithub.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
• WEB