Description

Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.

Remediation

References

https://chartkick.com

https://github.com/ankane/chartkick.js/issues/117

https://github.com/ankane/chartkick/blob/master/CHANGELOG.md

https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa

https://github.com/ankane/chartkick/commits/master

https://rubygems.org/gems/chartkick/

Related Vulnerabilities

CVE-2016-10744 Vulnerability in maven package org.webjars.bowergithub.select2:select2

CVE-2019-16571 Vulnerability in maven package org.jenkins-ci.plugins:rapiddeploy-jenkins

CVE-2021-41532 Vulnerability in maven package org.apache.ozone:ozone-recon

CVE-2016-10694 Vulnerability in npm package alto-saxophone

CVE-2022-23458 Vulnerability in npm package tui-grid

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Product Third Party Advisory Release Notes Patch NVD-CWE-noinfo