Under certain conditions, the 3.1.x series of Chartkick.js is vulnerable to prototype pollution. This is same type of issue that was announced for jQuery and other popular libraries earlier this year. jQuery rated this a "minor vulnerability". It's certainly unintended behavior, but since Chartkick.js is a client-side only library, its impact is likely limited. This vulnerability has been assigned the CVE identifier CVE-2019-18841.
Hey @guimard, I didn't find any other affected versions in my testing, but please follow up with the email address in my profile if you can demonstrate the issue in other versions, and I'll update the CVE accordingly.
Under certain conditions, the 3.1.x series of Chartkick.js is vulnerable to prototype pollution. This is same type of issue that was announced for jQuery and other popular libraries earlier this year. jQuery rated this a "minor vulnerability". It's certainly unintended behavior, but since Chartkick.js is a client-side only library, its impact is likely limited. This vulnerability has been assigned the CVE identifier CVE-2019-18841.
Versions Affected: 3.1.0 to 3.1.3
Fixed Versions: 3.2.0
Versions Unaffected: < 3.1.0
Impact
Passing untrusted input to
JSON.parseand the result to Chartkick.js can polluteObject.prototype.A specially crafted response in data loaded via URL can cause pollution well.
All users running an affected release should upgrade immediately.
The text was updated successfully, but these errors were encountered: