Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream
Hi, The following vulnerability was published for dojo. CVE-2020-5258[0]: | In affected versions of dojo (NPM package), the deepCopy method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the | ability to inject properties into existing JavaScript language | construct prototypes, such as objects. An attacker manipulates these | attributes to overwrite, or pollute, a JavaScript application object | prototype of the base object by injecting other values. This has been | patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258 [1] https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 [2] https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
