All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
Weakness
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Datatables.net | Datatables | * | 1.10.23 (excluding) |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | RedHat | cockpit-ovirt-0:0.14.20-1.el8ev | * |
| Red Hat Virtualization Engine 4.4 | RedHat | ovirt-web-ui-0:1.6.7-1.el8ev | * |
| Red Hat Virtualization Engine 4.4 | RedHat | ovirt-engine-ui-extensions-0:1.2.5-1.el8ev | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/1.html
- https://cwe.mitre.org/data/definitions/180.html
- https://cwe.mitre.org/data/definitions/77.html
References
- https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
- https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806
- https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03
- https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402
- https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806