#VU55498 Prototype pollution in Ajv - CVE-2020-15366


Vulnerability identifier: #VU55498

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-15366

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ajv
Web applications / JS libraries

Vendor: Ajv

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ajv: 6.12.0 - 6.12.2

External links
https://hackerone.com/bugs?subject=user&report_id=894259
https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
https://github.com/ajv-validator/ajv/tags

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Planning Analytics Workspace
Multiple vulnerabilities in IBM Cognos Analytics
Multiple vulnerabilities in IBM MobileFirst Platform Foundation
Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Prototype pollution in Watson AI Gateway for Cloud Pak for Data
Multiple vulnerabilities in Red Hat Ansible Automation Platform
Red Hat Enterprise Linux 8 update for the nodejs:14 module
Red Hat Enterprise Linux 8 update for the nodejs:10 module