CVE-2020-15366

MEDIUM

Description

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

References

https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

https://github.com/ajv-validator/ajv/tags

https://hackerone.com/bugs?subject=user&report_id=894259

Details

Source: MITRE

Published: 2020-07-15

Updated: 2020-07-28

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.6

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Impact Score: 3.4

Exploitability Score: 2.2

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ajv.js:ajv:6.12.2:*:*:*:*:*:*:*

Tenable Plugins

View all (9 total)

IDNameProductFamilySeverity
146802CentOS 8 : nodejs:10 (CESA-2021:0548)NessusCentOS Local Security Checks
high
146638Oracle Linux 8 : nodejs:10 (ELSA-2021-0548)NessusOracle Linux Local Security Checks
high
146637Oracle Linux 8 : nodejs:14 (ELSA-2021-0551)NessusOracle Linux Local Security Checks
high
146548CentOS 8 : nodejs:14 (CESA-2021:0551)NessusCentOS Local Security Checks
high
146547RHEL 8 : nodejs:10 (RHSA-2021:0548)NessusRed Hat Local Security Checks
high
146540RHEL 8 : nodejs:14 (RHSA-2021:0551)NessusRed Hat Local Security Checks
high
145990CentOS 8 : nodejs:12 (CESA-2020:5499)NessusCentOS Local Security Checks
high
144390RHEL 8 : nodejs:12 (RHSA-2020:5499)NessusRed Hat Local Security Checks
high
144372Oracle Linux 8 : nodejs:12 (ELSA-2020-5499)NessusOracle Linux Local Security Checks
high