Description
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Recommendation
Update the ajv package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.12.3
- Patched version(s): 6.12.3
References
- GHSA-v88g-cgmw-v5xw
- hackerone.com
- security.netapp.com
- CVE-2020-15366
- CWE-1321
- CWE-915
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Prototype pollution in 101 - CVE-2021-25943
- Open Redirect in node-forge - CVE-2022-0122
- Denial of service in three - CVE-2020-28496
- Prototype Pollution in sey - CVE-2021-23663
- Tags:
- npm
- ajv
Anything's wrong? Let us know Last updated on June 21, 2024