CVSS: 7.7EPSS: 0%CPEs: 24EXPL: 2CVE-2020-5258 – Prototype pollution in dojo
https://notcve.org/view.php?id=CVE-2020-5258
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 En las versiones afectadas de dojo (paquete NPM), el método deepCopy es vulnerable a una Contaminación de Prototipo. La Contaminación de Prototipo se refiere a la capacidad de inyectar propiedades en prototipos de construcciones de lenguaje JavaScript existentes, tales como objetos. • https://github.com/ossf-cve-benchmark/CVE-2020-5258 https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 https://lists.apache.org/thread.html/r3638722360d7ae95f874280518b8d987d799a76df7a9cd78eac33a1b%40%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/r665fcc152bd0fec9f71511a6c2435ff24d3a71386b01b1a6df326fd3%40%3Cusers.qpid.apache.org%3E https://lists.apache.org/thread.html/rf481b3f25f05c52ba4e24991a941c1a6e88d281c6c9360a806554d00%40%3Cusers.qpid.apache.o • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.0EPSS: 62%CPEs: 63EXPL: 1CVE-2020-5398 – RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application
https://notcve.org/view.php?id=CVE-2020-5398
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. En Spring Framework, versiones 5.2.x anteriores a 5.2.3, versiones 5.1.x anteriores a 5.1.13 y versiones 5.0.x anteriores a 5.0.16, una aplicación es vulnerable a un ataque de tipo reflected file download (RFD) cuando se establece un encabezado "Content-Disposition" en la respuesta donde el atributo filename es derivado de la entrada suministrada por el usuario. A flaw was found in springframework in versions prior to 5.0.16, 5.1.13, and 5.2.3. A reflected file download (RFD) attack is possible when a "Content-Disposition" header is set in response to where the filename attribute is derived from user supplied input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/motikan2010/CVE-2020-5398 https://lists.apache.org/thread.html/r028977b9b9d44a89823639aa3296fb0f0cfdd76b4450df89d3c4fbbf%40%3Cissues.karaf.apache.org%3E https://lists.apache.org/thread.html/r0f2d0ae1bad2edb3d4a863d77f3097b5e88cfbdae7b809f4f42d6aad%40%3Cissues.karaf.apache.org%3E https://lists.apache.org/thread.html/r0f3530f7cb510036e497532ffc4e0bd0b882940448cf4e233994b08b%40%3Ccommits.karaf.apache.org%3E https://lists.apache.org/thread.html/r1accbd4f31ad2f40e1661d70a4510a584eb3efd1e32e8660ccf46676%40%3Ccommits.karaf.apache.org%3E https://lists.apache.org&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-494: Download of Code Without Integrity Check •
CVSS: 3.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-2694 – mysql: Server: Information Schema unspecified vulnerability (CPU Jan 2020)
https://notcve.org/view.php?id=CVE-2020-2694
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.18 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). • https://security.gentoo.org/glsa/202105-27 https://security.netapp.com/advisory/ntap-20200122-0002 https://usn.ubuntu.com/4250-1 https://www.oracle.com/security-alerts/cpujan2020.html https://access.redhat.com/security/cve/CVE-2020-2694 https://bugzilla.redhat.com/show_bug.cgi?id=1796889 •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2020-2686 – mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2020)
https://notcve.org/view.php?id=CVE-2020-2686
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). • https://security.gentoo.org/glsa/202105-27 https://security.netapp.com/advisory/ntap-20200122-0002 https://usn.ubuntu.com/4250-1 https://www.oracle.com/security-alerts/cpujan2020.html https://access.redhat.com/security/cve/CVE-2020-2686 https://bugzilla.redhat.com/show_bug.cgi?id=1796888 •
CVSS: 4.9EPSS: 0%CPEs: 9EXPL: 0CVE-2020-2679 – mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2020)
https://notcve.org/view.php?id=CVE-2020-2679
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). • https://security.gentoo.org/glsa/202105-27 https://security.netapp.com/advisory/ntap-20200122-0002 https://usn.ubuntu.com/4250-1 https://www.oracle.com/security-alerts/cpujan2020.html https://access.redhat.com/security/cve/CVE-2020-2679 https://bugzilla.redhat.com/show_bug.cgi?id=1796887 •