Candidate: CVE-2020-5258
PublicDate: 2020-03-10 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258
 https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
 https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
Description:
 In affected versions of dojo (NPM package), the deepCopy method is
 vulnerable to Prototype Pollution. Prototype Pollution refers to the
 ability to inject properties into existing JavaScript language construct
 prototypes, such as objects. An attacker manipulates these attributes to
 overwrite, or pollute, a JavaScript application object prototype of the
 base object by injecting other values. This has been patched in versions
 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953585
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_dojo:
upstream_dojo: needs-triage
precise/esm_dojo: DNE
trusty_dojo: ignored (out of standard support)
trusty/esm_dojo: DNE
xenial_dojo: ignored (end of standard support, was needs-triage)
bionic_dojo: needs-triage
eoan_dojo: ignored (reached end-of-life)
focal_dojo: needs-triage
groovy_dojo: not-affected (1.15.3+dfsg1-1)
hirsute_dojo: not-affected (1.15.3+dfsg1-1)
impish_dojo: not-affected (1.15.3+dfsg1-1)
jammy_dojo: not-affected (1.15.3+dfsg1-1)
devel_dojo: not-affected (1.15.3+dfsg1-1)