{"id":"CVE-2020-5258","details":"In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2","aliases":["GHSA-jxfh-8wgv-vfr2"],"modified":"2026-04-10T04:27:35.848164Z","published":"2020-03-10T18:15:12.123Z","related":["CGA-4558-p3jf-w979","GHSA-jxfh-8wgv-vfr2","MGASA-2020-0232"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00012.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d"},{"type":"EVIDENCE","url":"https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dojo/dojo","events":[{"introduced":"0"},{"fixed":"0021f8ace5450d6bfb81fb0244c9f4eedf4cda38"},{"introduced":"238df4db1cf1f1f8b62c8a654fd906a183adabe5"},{"fixed":"09f22e3361f85009fa494fd0402b4bcc15d3b24d"},{"introduced":"c06e1335f8a4e48c8e8b1f4650845aebd570fd49"},{"fixed":"f8708e695a81310f9d7f3674de1b8ca7688b8148"},{"introduced":"ca3ea12a564136c5b43944b496233fc27e2e8de1"},{"fixed":"9835dd3e14f12bcf2eb8c61ad5c5478c0ef3c544"},{"introduced":"d6ef76a2630e9dc95b5593de0e09c39e20678103"},{"fixed":"6a6e665271e58d2703114ccda36d0b1cd95b2075"},{"introduced":"35d43b6eeecefbc1dc013fde82a68946867a3e1b"},{"fixed":"c021be9604cff7cf323030337a8ec764afad0c49"},{"fixed":"20a00afb68f5587946dc76fbeaa68c39bda2171d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.10"},{"introduced":"1.12.0"},{"fixed":"1.12.8"},{"introduced":"1.13.0"},{"fixed":"1.13.7"},{"introduced":"1.14.0"},{"fixed":"1.14.6"},{"introduced":"1.15.0"},{"fixed":"1.15.3"},{"introduced":"1.16.0"},{"fixed":"1.16.2"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"0"},{"last_affected":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"introduced":"0"},{"last_affected":"53017552a924aa1ad342c1154dc13e495c1a689f"},{"introduced":"0"},{"last_affected":"85f3961276d1c2df9bc383179c47df98f4019116"},{"introduced":"ae41ce7c4ecff5e1e336ab768867370b8c94e02d"},{"last_affected":"52edb3aeff8e09d95dfb6b8d706a3775dfa2192b"},{"introduced":"0"},{"last_affected":"45cf75598cf1f64c98fa367a100901c7deb70c37"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"7d10c82196c8e45554f27c00681474a9fb86d137"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"7.3.0"},{"last_affected":"7.3.29"},{"introduced":"7.4.0"},{"last_affected":"7.4.28"},{"introduced":"7.5.0"},{"last_affected":"7.5.18"},{"introduced":"7.6.0"},{"last_affected":"7.6.14"},{"introduced":"8.0.0"},{"last_affected":"8.0.20"}]}}],"versions":["1.10.0","1.10.0-beta1","1.10.0-rc1","1.11.0","1.11.0-rc1","1.11.0-rc2","1.11.0-rc3","1.11.0-rc4","1.11.0-rc5","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.9","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.12.6","1.12.7","1.13.0","1.13.1","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.14.1","1.14.2","1.14.3","1.14.4","1.14.5","1.15.0","1.15.1","1.15.2","1.16.0","1.16.1","mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.7-22-ndb-7.6.6","mysql-8.0.0","mysql-8.0.20","mysql-cluster-7.3.10","mysql-cluster-7.3.11","mysql-cluster-7.3.13","mysql-cluster-7.3.14","mysql-cluster-7.3.21","mysql-cluster-7.3.22","mysql-cluster-7.3.26","mysql-cluster-7.3.28","mysql-cluster-7.3.29","mysql-cluster-7.3.9","mysql-cluster-7.4.11","mysql-cluster-7.4.12","mysql-cluster-7.4.2","mysql-cluster-7.4.25","mysql-cluster-7.4.27","mysql-cluster-7.4.28","mysql-cluster-7.4.5","mysql-cluster-7.4.6","mysql-cluster-7.4.8","mysql-cluster-7.5.15","mysql-cluster-7.5.18","mysql-cluster-7.5.2","mysql-cluster-7.6.11","mysql-cluster-7.6.14","mysql-cluster-8.0.20"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"12.6.0"},{"last_affected":"12.6.4"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5258.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N"}]}