Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maHY4LWZ4NWYtN2Z4Zs0V1A
Prototype Pollution in the merge and clone helper methods
Impact
Using merge and clone helper methods in the src/core/util.ts module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.
Patches
It has been patched in https://github.com/ecomfe/zrender/pull/826.
Users should update zrender to 5.2.1. and update echarts to 5.2.1 if project is using echarts.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maHY4LWZ4NWYtN2Z4Zs0V1A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-fhv8-fx5f-7fxf, CVE-2021-39227
References:
- https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf
- https://nvd.nist.gov/vuln/detail/CVE-2021-39227
- https://github.com/ecomfe/zrender/pull/826
- https://github.com/ecomfe/zrender/releases/tag/5.2.1
- https://github.com/advisories/GHSA-fhv8-fx5f-7fxf
Blast Radius: 28.3
Affected Packages
npm:zrender
Dependent packages: 296Dependent repositories: 36,482
Downloads: 3,409,797 last month
Affected Version Ranges: < 5.2.1
Fixed in: 5.2.1
All affected versions: 2.0.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0
All unaffected versions: 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0