Lucene search
GoogleOSV:GHSA-5PM8-492C-92P5HistoryDec 02, 2019 - 6:04 p.m.
Prototype Pollution in chartkick
2019-12-0218:04:11
Google
osv.dev
5
0.002 Low
EPSS
Percentile
61.5%
Affected versions of @polymer/polymer are vulnerable to prototype pollution. The package fails to prevent modification of object prototypes through chart options containing a payload such as {"__proto__": {"polluted": true}}. It is possible to achieve the same results if a chart loads data from a malicious server.
Recommendation
Upgrade to version 3.2.0 or later.
References
chartkick.com
github.com/ankane/chartkick.js/issues/117
github.com/ankane/chartkick/blob/master/CHANGELOG.md
github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa
github.com/ankane/chartkick/commits/master
github.com/rubysec/ruby-advisory-db/blob/master/gems/chartkick/CVE-2019-18841.yml
nvd.nist.gov/vuln/detail/CVE-2019-18841
rubygems.org/gems/chartkick
Related
cvelist
cvelist
CVE-2019-18841
2019-11-11 00:05:37
nodejs
nodejs
Prototype Pollution
2019-11-11 18:28:46
nvd
nvd
CVE-2019-18841
2019-11-11 01:15:10
cve
cve
CVE-2019-18841
2019-11-11 01:15:10
veracode
veracode
Prototype Pollution
2019-11-11 02:19:49
debiancve
debiancve
CVE-2019-18841
2019-11-11 01:15:10
prion
prion
Code injection
2019-11-11 01:15:00
osv
osv
CVE-2019-18841
2019-11-11 01:15:10
ubuntucve
ubuntucve
CVE-2019-18841
2019-11-11 00:00:00
github
github
Prototype Pollution in chartkick
2019-12-02 18:04:11