#VU55498 Prototype pollution in Ajv


Published: 2021-08-02

Vulnerability identifier: #VU55498

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15366

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ajv
Web applications / JS libraries

Vendor: Ajv

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ajv: 6.12.0 - 6.12.2

External links
http://hackerone.com/bugs?subject=user&report_id=894259
http://github.com/ajv-validator/ajv/releases/tag/v6.12.3
http://github.com/ajv-validator/ajv/tags

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Prototype pollution in Watson AI Gateway for Cloud Pak for Data
Multiple vulnerabilities in Red Hat Ansible Automation Platform
Red Hat Software Collections update for rh-nodejs12-nodejs
Prototype pollution in Ajv