Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
A security vulnerability CVE-2020-5258 is reported against dojo-toolkit version 1.16.0.
A deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Even when vulnerability attack is successful and UI is affected by the injected code, it is not expected that it would have any bearing on Qpid REST API and messaging functionality.
In order to prevent various scanning tools from flagging the issue, we need to upgrade dojotollkit to version 1.16.3