EIQ-2020-0011



ID

EIQ-2020-0011

CVE

CVE-2020-15366

Description

ajv enables prototype pollution

Date

20 Jul 2020

Severity

3 - HIGH

CVSSv3 score

8.1

(Snyk score)

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.0

Assessment

Despite the high CVSS score, this vulnerability has very limited impact on the platform:

  • A client-side DoS would cause the web browser to hang.

  • To stop the DoS, refresh the affected browser tab or window.

ajv versions 6.12.2 and earlier could enable an attacker to inject properties into JavaScript prototype objects by exploiting a vulnerability affecting JSON schema validation: a carefully crafted JSON schema could allow execution of other code by prototype pollution.

An attacker could add or modify object prototype properties of Object.prototype with a constructor or a __proto__ payload.
Modified properties would then be propagated to all objects through inheritance.

In this scenario, remote code execution and property injection attempts would be blocked, and it would not be possible to use these techniques.
The most likely attack pattern the exploit could trigger would be a client-side denial of service (DoS).

A signed-in platform user without admin access rights, and with at least the modify blob-uploads (to manually upload PDF files to the platform) and the read files (to view PDF files in the platform GUI) permissions, could exploit the vulnerability by:

  1. Uploading a maliciously crafted PDF containing the payload.

  2. Triggering the exploit by opening the PDF in the platform to view it.

The client-side DoS would negatively impact web browser performance, and the browser would hang or freeze.

Mitigation

At the moment, it is not possible to globally upgrade ajv, because it occurs at least once as a sub-dependency.
Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.
We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

We are addressing this issue in a future planned release by enforcing the platform and relevant frontend dependencies to use ajv version 6.12.3 or later.
Until the issue is solved:

  • Restrict platform access to only trusted users.

  • Do not allow platform access to untrusted sources.

  • Do not allow untrusted JSON schemas.

  • In case of a client-side DoS event triggered by a PDF crafted to deliver a malicious JSON schema:

    • Refresh the affected browser tab or window to stop the DoS.

    • Do not open the PDF to view it in the platform GUI.

    • Download the PDF, and open it in a standalone viewer application.

Affected versions

2.8.0 and earlier.

Notes

For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions


In release notes 2.8.0

In release notes 2.9.0