CVE-2019-18841

EUVD-2019-0780
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
chartkickchartkick.js
3.1.0 ≤
𝑥
≤ 3.1.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
chartkick.js
bookworm
4.1.0-2
fixed
bullseye
2.1.0-2.1
fixed
sid
4.1.0-2
fixed
trixie
4.1.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
chartkick.js
bionic
not-affected
disco
not-affected
eoan
not-affected
trusty
dne
xenial
dne
References
https://chartkick.com
https://github.com/ankane/chartkick.js/issues/117
https://github.com/ankane/chartkick/blob/master/CHANGELOG.md
https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa
https://github.com/ankane/chartkick/commits/master
https://rubygems.org/gems/chartkick/
https://chartkick.com
https://github.com/ankane/chartkick.js/issues/117
https://github.com/ankane/chartkick/blob/master/CHANGELOG.md
https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa
https://github.com/ankane/chartkick/commits/master
https://rubygems.org/gems/chartkick/