Fix CVE–2020–15366

[debricked]

CVE–2020–15366

Vulnerability details

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

NVD

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

GitHub

Prototype Pollution in Ajv

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

CVSS details - 5.6

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity	Low
Availability	Low

References

    Prototype Pollution in Ajv · CVE-2020-15366 · GitHub Advisory Database · GitHub
    NVD - CVE-2020-15366
    Release v6.12.3 · ajv-validator/ajv · GitHub
    Tags · ajv-validator/ajv · GitHub
    HackerOne
    validate numbers in schemas during schema compilation · ajv-validator/ajv@65b2f7d · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE