CVE-2020-15366 | ajv:5.5.2 (CWE-915)

[ckalpakoglu]

Due Date: 2023-01-10

A medium severity vulnerability has been discovered in your project.

Project Name: kondukto-ui-vue

Scanner Name: dependabot

Cwe ID: 915

Cwe Name: Improperly Controlled Modification of Dynamically Determined Object Attributes

Cwe Link: https://cwe.mitre.org/data/definitions/915.html

File: package-lock.json

Packages:

• ajv:5.5.2

References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-15366
• https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f
• https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
• https://hackerone.com/bugs?subject=user&report_id=894259
• https://github.com/ajv-validator/ajv/tags
• https://github.com/advisories/GHSA-v88g-cgmw-v5xw

Training(Secure Code Warrior):

• Name: Improperly Controlled Modification of Dynamically-Determined Object Attributes

• Description: The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/mass_assignment/generic

• Videos:

  • https://media.securecodewarrior.com/v2/module_138_mass_assignment.mp4

    ---

• Name: External Control of Assumed-Immutable Web Parameter

• Description: The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/access/untrusted_source

• Videos:

  • https://media.securecodewarrior.com/v2/module_151_using_input_from_untrusted_sources.mp4

    ---

Tool Description: ### Summary

Prototype Pollution in Ajv

Fixed Patch

6.12.3

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e702 Deeplink: https://github.com/advisories/GHSA-v88g-cgmw-v5xw

[ckalpakoglu]

The issue has been closed by Kondukto since it is marked as won't fix.