PT-2021-11543 · Jointjs · Jointjs

Published

2021-01-19

Updated

2021-09-21

CVE-2020-28480

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: jointjs versions prior to 3.3.0

Description: The issue arises from the util.setByPath function, where the path used to access the object's key and set the value is not properly sanitized. This leads to a Prototype Pollution, allowing potential manipulation of the object's properties.

Recommendations: For jointjs versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the util.setByPath function until a patch is applied.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2020-28480

GHSA-QWP9-52H8-XGG8

SNYK-JAVA-ORGWEBJARSBOWER-1062037

SNYK-JAVA-ORGWEBJARSNPM-1062036

SNYK-JS-JOINTJS-1024444

Affected Products

Jointjs

PT-2021-11543 · Jointjs · Jointjs

CVE-2020-28480

Weakness Enumeration

Related Identifiers

Affected Products

References · 10