CVE-2020-28458
Prototype Pollution vulnerability in datatables.net (npm)
What is CVE-2020-28458 About?
All versions of the `datatables.net` package are vulnerable to Prototype Pollution. This flaw is an incomplete fix for a previously identified vulnerability, allowing attackers to inject arbitrary properties into JavaScript object prototypes. This can lead to unpredictable application behavior or further exploitation. Exploitation typically involves supplying specially crafted input.
Affected Software
Technical Details
The datatables.net package is affected by a Prototype Pollution vulnerability, indicating that an incomplete fix was applied for a prior discovery (SNYK-JS-DATATABLESNET-598806). This category of vulnerability arises when an application's functions for extending, merging, or assigning properties to JavaScript objects do not properly sanitize or validate property names. An attacker can supply input containing the __proto__ property name, potentially along with constructor or prototype, within data structures that are processed by the vulnerable datatables.net component. When this malicious input is processed, the properties specified by the attacker through __proto__ are injected directly into Object.prototype, affecting all JavaScript objects in the application. This can lead to unexpected behavior, type confusion, arbitrary property assignment, or even arbitrary code execution if other parts of the application rely on the integrity of object prototypes.
What is the Impact of CVE-2020-28458?
Successful exploitation may allow attackers to alter application logic, bypass security controls, lead to denial of service, or potentially achieve arbitrary code execution via compromised object prototypes.
What is the Exploitability of CVE-2020-28458?
Exploitation requires an attacker to feed specially crafted input to an application that processes it using the vulnerable datatables.net package. The complexity depends on how the package is integrated and what user-controlled input it handles; it can range from moderate to complex. No authentication is inherently required if the vulnerable processing occurs on publicly accessible data or interactions. This is typically a remote attack if the attacker can submit data remotely. The prerequisite is that the web application uses datatables.net and exposes a vector for user-controlled data to interact with its object manipulation functions. The existence of a proof of concept suggests that the vulnerability is well-understood and exploitable, increasing the risk, especially in applications that process complex JSON or similar data structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| fazilbaig1 | Link | Affected versions of this package are vulnerable to Prototype Pollution. |
What are the Available Fixes for CVE-2020-28458?
Available Upgrade Options
- datatables.net
- <1.10.22 → Upgrade to 1.10.22
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/DataTables/DataTablesSrc
- https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766
- https://nvd.nist.gov/vuln/detail/CVE-2020-28458
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402
What are Similar Vulnerabilities to CVE-2020-28458?
Similar Vulnerabilities: CVE-2020-28472 , CVE-2020-28478 , CVE-2019-11358 , CVE-2019-7609 , CVE-2021-23337
