Input validation error in Chart.js

#VU60879 Input validation error in Chart.js

Published: 2022-02-25

Vulnerability identifier: #VU60879

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7746

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Chart.js
Web applications / JS libraries

Vendor: chartjs

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Prototype Pollution in the "options" parameter. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

Chart.js: 2.0.0 - 2.9.3

External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376
http://github.com/chartjs/Chart.js/pull/7920
http://snyk.io/vuln/SNYK-JS-CHARTJS-1018716
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Tivoli Netcool Impact update for Chart.js

Multiple vulnerabilities in Zimbra

Multiple vulnerabilities in IBM Business Automation Manager Open Editions

Multiple vulnerabilities in Red Hat Process Automation Manager

Multiple vulnerabilities in Mitsubishi Electric EcoWebServerIII

Denial of service in Chart.js