Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maHY4LWZ4NWYtN2Z4Zs0V1A
Prototype Pollution in the merge and clone helper methods
Impact
Using merge
and clone
helper methods in the src/core/util.ts
module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.
Patches
It has been patched in https://github.com/ecomfe/zrender/pull/826.
Users should update zrender to 5.2.1
. and update echarts to 5.2.1
if project is using echarts.
References
NA
For more information
NA
Permalink: https://github.com/advisories/GHSA-fhv8-fx5f-7fxfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maHY4LWZ4NWYtN2Z4Zs0V1A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 20 days ago
CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00336
EPSS Percentile: 0.70912
Identifiers: GHSA-fhv8-fx5f-7fxf, CVE-2021-39227
References:
- https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf
- https://nvd.nist.gov/vuln/detail/CVE-2021-39227
- https://github.com/ecomfe/zrender/pull/826
- https://github.com/ecomfe/zrender/releases/tag/5.2.1
- https://github.com/advisories/GHSA-fhv8-fx5f-7fxf
Blast Radius: 28.3
Affected Packages
npm:zrender
Dependent packages: 296Dependent repositories: 36,482
Downloads: 4,112,570 last month
Affected Version Ranges: <= 4.3.2, >= 5.0.0, < 5.2.1
Fixed in: 4.3.3, 5.2.1
All affected versions: 2.0.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0
All unaffected versions: 4.3.3, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.6.0, 5.6.1