CVE-2020-15366
Prototype Pollution vulnerability in ajv (npm)
What is CVE-2020-15366 About?
This vulnerability is a Prototype Pollution issue in Ajv (Another JSON Schema Validator) 6.12.2, specifically within `ajv.validate()`. It allows a crafted JSON schema to modify object prototypes, potentially leading to code execution. The exploitability relies on providing a malicious schema to the validator.
Affected Software
Technical Details
The flaw lies in ajv.validate() where a carefully crafted JSON schema can be provided that allows execution of other code by prototype pollution. Although Ajv developers warn against using untrusted schemas, the worst-case scenario for an untrusted schema should be a denial of service, not code execution. An attacker could embed specific properties within the schema that, when processed by ajv.validate(), manipulate the JavaScript Object.prototype, adding or changing properties on all objects, which can then be leveraged for arbitrary code execution in certain contexts.
What is the Impact of CVE-2020-15366?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, leading to denial of service, data corruption, or, in applications processing untrusted schemas, remote code execution.
What is the Exploitability of CVE-2020-15366?
Exploitation requires an attacker to be able to provide a malicious JSON schema to the ajv.validate() function. This might be a remote exploitation vector if the application exposes schema validation to untrusted input. No specific authentication or high privileges are needed beyond the ability to submit the malicious schema. The complexity is moderate, relying on the attacker's ability to craft a schema that triggers the prototype pollution. The primary condition is an application processing untrusted JSON schemas. Risk factors include web applications that allow users to define or submit their own schemas for data validation without sufficient sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15366?
About the Fix from Resolved Security
The patch adds explicit type checks to ensure that schema keywords like maximum, maxItems, maxLength, and maxProperties are numbers (or booleans where appropriate), throwing errors at compile time if they are not. This prevents the use of malicious or invalid non-numeric values in schemas, which could otherwise lead to unexpected behavior or security issues, thereby fixing the vulnerability CVE-2020-15366.
Available Upgrade Options
- ajv
- <6.12.3 → Upgrade to 6.12.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ajv-validator/ajv
- https://nvd.nist.gov/vuln/detail/CVE-2020-15366
- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
- https://github.com/ajv-validator/ajv/tags
- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
- https://hackerone.com/bugs?subject=user&report_id=894259
- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f
- https://hackerone.com/bugs?subject=user&report_id=894259
- https://github.com/ajv-validator/ajv/tags
- https://security.netapp.com/advisory/ntap-20240621-0007
What are Similar Vulnerabilities to CVE-2020-15366?
Similar Vulnerabilities: CVE-2019-10746 , CVE-2020-28282 , CVE-2019-10744 , CVE-2020-7660 , CVE-2021-23343
