Description

Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.

Remediation

References

https://chartkick.com

https://github.com/ankane/chartkick.js/issues/117

https://github.com/ankane/chartkick/blob/master/CHANGELOG.md

https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa

https://github.com/ankane/chartkick/commits/master

https://rubygems.org/gems/chartkick/

Related Vulnerabilities

CVE-2020-12265 Vulnerability in maven package org.webjars:decompress

CVE-2020-14967 Vulnerability in maven package org.webjars.bowergithub.kjur:jsrsasign

CVE-2017-7672 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-3150 Vulnerability in maven package org.apache.atlas:apache-atlas

CVE-2017-18214 Vulnerability in maven package org.webjars.npm:moment

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Product Third Party Advisory Release Notes Patch NVD-CWE-noinfo