CVE-2020-15366
First published: Sat Jul 04 2020(Updated: )
A flaw was found in nodejs-ajv. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/automation-hub | <0:4.2.2-1.el7 | 0:4.2.2-1.el7 |
| redhat/python3-django | <0:2.2.18-1.el7 | 0:2.2.18-1.el7 |
| redhat/python-bleach | <0:3.3.0-1.el7 | 0:3.3.0-1.el7 |
| redhat/python-bleach-allowlist | <0:1.0.3-1.el7 | 0:1.0.3-1.el7 |
| redhat/python-galaxy-importer | <0:0.2.15-1.el7 | 0:0.2.15-1.el7 |
| redhat/python-galaxy-ng | <0:4.2.2-1.el7 | 0:4.2.2-1.el7 |
| redhat/python-pulp-ansible | <1:0.5.6-1.el7 | 1:0.5.6-1.el7 |
| redhat/automation-hub | <0:4.2.2-1.el8 | 0:4.2.2-1.el8 |
| redhat/python3-django | <0:2.2.18-1.el8 | 0:2.2.18-1.el8 |
| redhat/python-bleach | <0:3.3.0-1.el8 | 0:3.3.0-1.el8 |
| redhat/python-bleach-allowlist | <0:1.0.3-1.el8 | 0:1.0.3-1.el8 |
| redhat/python-galaxy-importer | <0:0.2.15-1.el8 | 0:0.2.15-1.el8 |
| redhat/python-galaxy-ng | <0:4.2.2-1.el8 | 0:4.2.2-1.el8 |
| redhat/python-pulp-ansible | <1:0.5.6-1.el8 | 1:0.5.6-1.el8 |
| redhat/rh-nodejs12-nodejs | <0:12.19.1-2.el7 | 0:12.19.1-2.el7 |
| redhat/rh-nodejs14-nodejs | <0:14.15.4-2.el7 | 0:14.15.4-2.el7 |
| redhat/rh-nodejs10-nodejs | <0:10.23.1-2.el7 | 0:10.23.1-2.el7 |
| redhat/nodejs-ajv | <6.12.3 | 6.12.3 |
| Ajv.js Ajv | =6.12.2 | |
| npm/ajv | <6.12.3 | 6.12.3 |
| IBM Cloud Pak for Security (CP4S) | <=1.6.0.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.6.0.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.5.0.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.5.0.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.4.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-15366 https://nvd.nist.gov/vuln/detail/CVE-2020-15366 https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://bugzilla.redhat.com/show_bug.cgi?id=1857977
- https://access.redhat.com/errata/RHSA-2021:0781
- https://access.redhat.com/errata/RHSA-2020:5499
- https://access.redhat.com/errata/RHSA-2021:0548
- https://access.redhat.com/errata/RHSA-2021:0551
- https://access.redhat.com/errata/RHSA-2020:4298
- https://access.redhat.com/errata/RHSA-2021:3917
- https://access.redhat.com/errata/RHSA-2020:5305
- https://access.redhat.com/errata/RHSA-2021:0421
- https://access.redhat.com/errata/RHSA-2021:0521
- https://access.redhat.com/security/cve/cve-2020-15366
- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
- https://hackerone.com/bugs?subject=user&report_id=894259
- https://github.com/ajv-validator/ajv/commit/988982d3fde08e3ea074e8942442834e78c45587
- https://snyk.io/vuln/SNYK-JS-AJV-584908
- https://github.com/nodejs/node/blob/v10.x/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
- https://github.com/nodejs/node/blob/v12.x/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
- https://github.com/nodejs/node/blob/v14.x/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
- https://github.com/ajv-validator/ajv/tags
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://nvd.nist.gov/vuln/detail/CVE-2020-15366
- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f
- https://security.netapp.com/advisory/ntap-20240621-0007
- https://github.com/advisories/GHSA-v88g-cgmw-v5xw (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/185626
- https://www.ibm.com/support/pages/node/6453115 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-15366.
What is the severity of CVE-2020-15366?
The severity of CVE-2020-15366 is medium, with a severity value of 5.6.
What is the affected software for CVE-2020-15366?
The affected software for CVE-2020-15366 includes nodejs-ajv versions up to 6.12.3.
How can I fix the vulnerability in nodejs-ajv?
To fix the vulnerability in nodejs-ajv, upgrade to version 6.12.3.
Where can I find more information about CVE-2020-15366?
You can find more information about CVE-2020-15366 in the following references: [Link 1](https://github.com/ajv-validator/ajv/releases/tag/v6.12.3), [Link 2](https://hackerone.com/bugs?subject=user&report_id=894259), [Link 3](https://github.com/ajv-validator/ajv/commit/988982d3fde08e3ea074e8942442834e78c45587).
- collector/redhat-cve
- agent/first-publish-date
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-15366
- agent/software-canonical-lookup
- agent/severity
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v88g-cgmw-v5xw
- agent/weakness
- collector/nvd-cve
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- vendor/ajv.js
- canonical/ajv.js ajv
- version/ajv.js ajv/6.12.2
- package-manager/npm
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.6.0.1
- version/ibm cloud pak for security (cp4s)/1.6.0.0
- version/ibm cloud pak for security (cp4s)/1.5.0.1
- version/ibm cloud pak for security (cp4s)/1.5.0.0
- version/ibm cloud pak for security (cp4s)/1.4.0.0