CVE-2020-15366
low-risk
Published 2020-07-15
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Do I need to act?
-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.6/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Ajv
Affected Vendors
References (8)
Third Party Advisory
https://github.com/ajv-validator/ajv/tags
Permissions Required
https://hackerone.com/bugs?subject=user&report_id=894259
Third Party Advisory
https://github.com/ajv-validator/ajv/tags
Permissions Required
https://hackerone.com/bugs?subject=user&report_id=894259
24
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal