NVD Vulnerability Detail

CVE-2020-7746

Summary	This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
Publication Date	Oct. 29, 2020, 5:15 p.m.
Registration Date	Jan. 26, 2021, 12:01 p.m.
Last Update	Nov. 21, 2024, 2:37 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:chartjs:chart.js::::::node.js::*					2.9.4

Related information, measures and tools

No	URL	タグ
1	https://github.com/chartjs/Chart.js/pull/7920	Patch Third Party Advisory
2	https://github.com/chartjs/Chart.js/pull/7920	Patch Third Party Advisory
3	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375	Exploit Third Party Advisory
4	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1019375	Exploit Third Party Advisory
5	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376	Exploit Third Party Advisory
6	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCHARTJS-1019376	Exploit Third Party Advisory
7	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374	Exploit Third Party Advisory
8	https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019374	Exploit Third Party Advisory
9	https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716	Exploit Third Party Advisory
10	https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-1321	オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	https://cwe.mitre.org/data/definitions/1321.html

JVN Vulnerability Information

chart.js における入力確認に関する脆弱性

Title	chart.js における入力確認に関する脆弱性
Summary	chart.js には、入力確認に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 19, 2020, midnight
Registration Date	May 18, 2021, 1:55 p.m.
Last Update	Feb. 16, 2022, 12:19 p.m.

Affected System

chartjs

Chart.js 2.9.4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-7746	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7746
National Vulnerability Database (NVD)
2	CVE-2020-7746	https://nvd.nist.gov/vuln/detail/CVE-2020-7746

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
GitHub
1	Use Object.create(null) as merge target, to prevent prototype pollution #7920	https://github.com/chartjs/Chart.js/pull/7920

その他

No	Name	URL
JVN
1	JVNVU#94912830	https://jvn.jp/vu/JVNVU94912830/
関連文書
2	SNYK-JS-CHARTJS-1018716 (Prototype Pollution)	https://snyk.io/vuln/SNYK-JS-CHARTJS-1018716

Change Log

No	Changed Details	Date of change
1	[2021年05月18日] 掲載	May 18, 2021, 1:55 p.m.
2	[2022年02月16日] 参考情報：JVN (JVNVU#94912830) を追加	Feb. 16, 2022, 11:51 a.m.