Description
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
Remediation
References
https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d
https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E
https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
Related Vulnerabilities
CVE-2023-49803 Vulnerability in maven package org.webjars.npm:koa__cors
CVE-2020-1954 Vulnerability in maven package org.apache.cxf:cxf-rt-management
CVE-2020-9484 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2018-8039 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http