EIQ-2020-0011#
ID |
EIQ-2020-0011 |
|---|---|
CVE |
|
Description |
ajv enables prototype pollution |
Date |
20 Jul 2020 |
Severity |
3 - HIGH |
CVSSv3 score |
8.1 (Snyk score) |
Status |
✅ 2.9.0 |
Assessment |
Note Despite the high CVSS score, this vulnerability has very limited impact on the platform:
ajv versions 6.12.2 and earlier could enable an attacker to inject properties into JavaScript prototype objects by exploiting a vulnerability affecting JSON schema validation: a carefully crafted JSON schema could allow execution of other code by prototype pollution. An attacker could add or modify object prototype properties of Object.prototype with a constructor or a Modified properties would then be propagated to all objects through inheritance. In this scenario, remote code execution and property injection attempts would be blocked, and it would not be possible to use these techniques. The most likely attack pattern the exploit could trigger would be a client-side denial of service (DoS). A signed-in platform user without admin access rights, and with at least the modify blob-uploads (to manually upload PDF files to the platform) and the read files (to view PDF files in the platform GUI) permissions, could exploit the vulnerability by:
The client-side DoS would negatively impact web browser performance, and the browser would hang or freeze. |
Mitigation |
At the moment, it is not possible to globally upgrade ajv, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers. We are addressing this issue in a future planned release by enforcing the platform and relevant frontend dependencies to use ajv version 6.12.3 or later. Until the issue is solved:
|
Affected versions |
2.8.0 and earlier. |
Notes |
For more information, see: |