Description
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Recommendation
Update the ajv package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.12.3
- Patched version(s): 6.12.3
References
- GHSA-v88g-cgmw-v5xw
- hackerone.com
- security.netapp.com
- CVE-2020-15366
- CWE-1321
- CWE-915
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Prototype Pollution in systeminformation - CVE-2020-26245
- Prototype Pollution in asciitable.js - CVE-2020-7771
- Prototype pollution in gsap - CVE-2020-28478
- yargs-parser Vulnerable to Prototype Pollution - CVE-2020-7608
You might also like:
- Tags:
- npm
- ajv
Anything's wrong? Let us know Last updated on June 21, 2024