Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-39227
Summary
ZRender is a lightweight graphics library that provides 2D drawing capabilities for Apache ECharts. In versions prior to 5.2.1, using the "merge" and "clone" helper methods in the "src/core/util.ts" module can lead to prototype pollution. This issue affects the popular data visualization library Apache ECharts, which directly uses and exports these two methods. The GitHub Security Advisory page for this vulnerability includes a proof of concept. A workaround is available check if "__proto__" exists in the object keys and omit it before using the object as a parameter in the affected methods, such as "echarts.util.merge" or "setOption" if the project is using ECharts.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-1321 - Prototype Pollution
Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.
References
Advisory Timeline
- Published
