Vulnerability Name: | CVE-2020-15366 (CCN-185626) | ||||||||||||||||||
Assigned: | 2020-07-04 | ||||||||||||||||||
Published: | 2020-07-04 | ||||||||||||||||||
Updated: | 2022-12-02 | ||||||||||||||||||
Summary: | An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) | ||||||||||||||||||
CVSS v3 Severity: | 5.6 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) 4.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
4.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
4.9 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
| ||||||||||||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||
Vulnerability Type: | CWE-471 | ||||||||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2020-15366 Source: CCN Type: Red Hat Bugzilla Bug 1857977 (CVE-2020-15366) - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function Source: XF Type: UNKNOWN ajv-cve202015366-code-exec(185626) Source: CCN Type: Ajv GIT Repository Prototype Pollution in Ajv Source: CCN Type: Ajv GIT Repository Ajv Source: cve@mitre.org Type: Release Notes, Third Party Advisory cve@mitre.org Source: cve@mitre.org Type: Third Party Advisory cve@mitre.org Source: cve@mitre.org Type: Permissions Required cve@mitre.org Source: CCN Type: SNYK-JS-AJV-584908 Prototype Pollution Source: CCN Type: IBM Security Bulletin 6453115 (Cloud Pak for Security) Cloud Pak for Security contains security vulnerabilities Source: CCN Type: IBM Security Bulletin 6459685 (UrbanCode Velocity) CVE-2020-15366 An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. Source: CCN Type: IBM Security Bulletin 6566889 (Spectrum Discover) Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) Source: CCN Type: IBM Security Bulletin 6570965 (Db2 On Openshift) Multiple Vulnerabilities affect IBM Db2 On Openshift and IBM Db2 and Db2 Warehouse on Cloud Pak for Data Source: CCN Type: IBM Security Bulletin 6613009 (Cloud Pak System Software) Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System Source: CCN Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation) Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform Source: CCN Type: IBM Security Bulletin 6967283 (QRadar User Behavior Analytics) IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 7009061 (Watson AI Gateway for Cloud Pak for Data) Watson AI Gateway for Cloud Pak for Data is vulnerable to an Ajv (aka Another JSON Schema Validator) could allow a remote attacker to execute arbitrary code on the system (CVE-2020-15366) Source: CCN Type: Mend Vulnerability Database CVE-2020-15366 | ||||||||||||||||||
Vulnerable Configuration: | Configuration RedHat 1: Configuration CCN 1: ![]() | ||||||||||||||||||
Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
BACK |