CVE-2020-5259

NameCVE-2020-5259
DescriptionIn affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2139-1
Debian Bugs953587

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dojo (PTS)jessie, jessie (lts)1.10.2+dfsg-1+deb8u4fixed
buster (security), buster, buster (lts)1.14.2+dfsg1-1+deb10u3fixed
bullseye1.15.4+dfsg1-1+deb11u1fixed
sid, trixie, bookworm1.17.2+dfsg1-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dojosourcewheezy(unfixed)end-of-life
dojosourcejessie1.10.2+dfsg-1+deb8u3DLA-2139-1
dojosourcebuster1.14.2+dfsg1-1+deb10u2
dojosource(unstable)1.15.3+dfsg1-1953587

Notes

https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da

Search for package or bug name: Reporting problems