Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1maHY4LWZ4NWYtN2Z4Zs0V1A

Prototype Pollution in the merge and clone helper methods

Impact

Using merge and clone helper methods in the src/core/util.ts module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.

Patches

It has been patched in https://github.com/ecomfe/zrender/pull/826.
Users should update zrender to 5.2.1. and update echarts to 5.2.1 if project is using echarts.

References

For more information

Permalink: https://github.com/advisories/GHSA-fhv8-fx5f-7fxf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maHY4LWZ4NWYtN2Z4Zs0V1A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 20 days ago

CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.00336
EPSS Percentile: 0.70912

Identifiers: GHSA-fhv8-fx5f-7fxf, CVE-2021-39227
References:

Repository: https://github.com/ecomfe/zrender
Blast Radius: 28.3

Affected Packages

npm:zrender

Dependent packages: 296
Dependent repositories: 36,482
Downloads: 4,112,570 last month
Affected Version Ranges: <= 4.3.2, >= 5.0.0, < 5.2.1
Fixed in: 4.3.3, 5.2.1
All affected versions: 2.0.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0
All unaffected versions: 4.3.3, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.6.0, 5.6.1