CVE-2021-39227 – zrender

Package

Manager: npm
Name: zrender
Vulnerable Version: >=5.0.0 <5.2.1 || >=0 <4.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00396 pctl0.59623

Details

Prototype Pollution in the merge and clone helper methods ### Impact Using `merge` and `clone` helper methods in the `src/core/util.ts` module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly. ### Patches It has been patched in https://github.com/ecomfe/zrender/pull/826. Users should update zrender to `5.2.1`. and update echarts to `5.2.1` if project is using echarts. ### References NA ### For more information NA

Metadata

Created: 2021-09-20T19:53:15Z
Modified: 2024-12-06T18:20:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-fhv8-fx5f-7fxf/GHSA-fhv8-fx5f-7fxf.json
CWE IDs: ["CWE-1321", "CWE-915"]
Alternative ID: GHSA-fhv8-fx5f-7fxf
Finding: F390
Auto approve: 1