CVE-2020-5258

Name of the Vulnerable Software and Affected Versions dojo versions prior to 1.12.8 dojo versions prior to 1.13.7 dojo versions prior to 1.14.6 dojo versions prior to 1.15.3 dojo versions prior to 1.16.2

Description The issue exists due to the lack of measures to neutralize special elements in the dojo component of the Oracle MySQL Cluster system. This allows a remote attacker to compromise data integrity. The deepCopy method in affected versions of dojo (NPM package) is vulnerable to Prototype Pollution, which refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker can manipulate these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.

Recommendations For versions prior to 1.12.8, update to version 1.12.8 or later. For versions prior to 1.13.7, update to version 1.13.7 or later. For versions prior to 1.14.6, update to version 1.14.6 or later. For versions prior to 1.15.3, update to version 1.15.3 or later. For versions prior to 1.16.2, update to version 1.16.2 or later. As a temporary workaround, consider disabling the deepCopy method until a patch is available. Restrict access to the vulnerable dojo module to minimize the risk of exploitation. Avoid using the deepCopy method in affected API endpoints until the issue is resolved.