| Summary | Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release. |
|---|---|
| Publication Date | Nov. 25, 2020, 8:15 a.m. |
| Registration Date | Jan. 26, 2021, 11:55 a.m. |
| Last Update | Nov. 21, 2024, 2:19 p.m. |
| CVSS3.1 : HIGH | |
| スコア | 8.7 |
|---|---|
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 低 |
| 攻撃に必要な特権レベル(PR) | 低 |
| 利用者の関与(UI) | 要 |
| 影響の想定範囲(S) | 変更あり |
| 機密性への影響(C) | なし |
| 完全性への影響(I) | 高 |
| 可用性への影響(A) | 高 |
| CVSS2.0 : MEDIUM | |
| Score | 4.9 |
|---|---|
| Vector | AV:N/AC:M/Au:S/C:N/I:P/A:P |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 中 |
| 攻撃前の認証要否(Au) | 単一 |
| 機密性への影響(C) | なし |
| 完全性への影響(I) | 低 |
| 可用性への影響(A) | 低 |
| Get all privileges. | いいえ |
| Get user privileges | いいえ |
| Get other privileges | いいえ |
| User operation required | はい |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:highlightjs:highlight.js:*:*:*:*:*:node.js:*:* | 10.1.0 | 10.1.2 | |||
| cpe:2.3:a:highlightjs:highlight.js:*:*:*:*:*:node.js:*:* | 9.18.2 | ||||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | |||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* | 8.0.30 | ||||
| Title | Highlight.js における不変と仮定されるデータの変更に関する脆弱性 |
|---|---|
| Summary | Highlight.js には、不変と仮定されるデータの変更に関する脆弱性が存在します。 |
| Possible impacts | 情報を改ざんされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | July 21, 2020, midnight |
| Registration Date | July 16, 2021, 5:05 p.m. |
| Last Update | July 16, 2021, 5:05 p.m. |
| highlightjs |
| highlight.js 10.1.2 未満 |
| highlight.js 9.18.2 未満 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2021年07月16日] 掲載 |
July 16, 2021, 5:05 p.m. |