CVE-2020-8141

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-8141

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8141.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-8141

Aliases

GHSA-297x-8xj4-vcxv

Published

2020-03-15T18:15:11Z

Modified

2024-10-12T06:38:50.856426Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

References

Affected packages

Debian:11 / node-dot

Package

Name: node-dot
Purl: pkg:deb/debian/node-dot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-dot

Package

Name: node-dot
Purl: pkg:deb/debian/node-dot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-dot

Package

Name: node-dot
Purl: pkg:deb/debian/node-dot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/olado/dot

Affected ranges

Type: GIT
Repo: https://github.com/olado/dot
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

9b4640962f4578404ef05e9ea9f24caf16088f5f

Affected versions

0.*

0.2.0

1.*

1.0.1

1.0.3

1.1.0

1.1.1

v1.*

v1.1.2