Fluid Attacks Database

Description

Prototype Pollution in Ajv An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-ajv	>=0 <6.12.4-1	6.12.4-1
npm	ajv	>=0 <6.12.3	6.12.3
debian 12	node-ajv	>=0 <6.12.4-1	6.12.4-1
debian 13	node-ajv	>=0 <6.12.4-1	6.12.4-1
debian 14	node-ajv	>=0 <6.12.4-1	6.12.4-1
rpm rhel8	nodejs	<1:10.23.1-1.module+el8.3.0+9502+012d8a97	1:10.23.1-1.module+el8.3.0+9502+012d8a97

Aliases

1. CVE-2020-153662. NVD-2020-153663. OSV-DEBIAN-2020-153664. OSV-2020-153665. GCVE-2020-153666. SECURITY-TRACKER-CVE-2020-15366

References

1. https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f2. https://github.com/ajv-validator/ajv/releases/tag/v6.12.33. https://github.com/ajv-validator/ajv/tags4. https://hackerone.com/bugs?subject=user&report_id=8942595. https://security.netapp.com/advisory/ntap-20240621-0007

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.