Description

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Remediation

References

https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

https://github.com/ajv-validator/ajv/tags

https://hackerone.com/bugs?subject=user&report_id=894259

https://security.netapp.com/advisory/ntap-20240621-0007/

Related Vulnerabilities

CVE-2016-6816 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2018-3758 Vulnerability in npm package express-cart

CVE-2019-14862 Vulnerability in maven package org.webjars.bowergithub.knockout:knockout

CVE-2019-16552 Vulnerability in maven package com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger

CVE-2018-12536 Vulnerability in maven package org.eclipse.jetty:jetty-util

Severity

Medium

Classification

CWE-1321 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Release Notes Third Party Advisory Permissions Required