Details
-
Fix
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
2.0.0
-
None
-
CVE-2021-43138
Description
Vulnerability
- Currently JS7 JOC Cockpit makes use of the Angular async package version 2.6.2
- A vulnerability affects this version, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43138
- JS1 JobScheduler branches 1.x are not affected by this vulnerability.
Risk Mitigation
- Prototype Pollution
- In JavaScript, prototypes define an object’s structure and properties so that the application knows how to deal with the data. But it turns out that modifying the prototype in one place will affect how the objects work throughout the entire application.
- The JOC Cockpit does not make use of dynamic prototype modification. In fact methods to clone, merge, extend objects are used, however, they are not accessible to user input.
- Severity
- SOS consider this a minor vulnerability for JOC Cockpit as there is no exploit based on user input.
