Описание
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
Отчет
The lodash dependency is included in OpenShift Container Platform (OCP) by Kibana in the aggregated logging stack. Elastic have issued a security advisory (ESA-2019-10) for Kibana for this vulnerability, and in that advisory stated that no exploit vectors had been identified in Kibana. Therefore we rate this issue as moderate for OCP and may fix this issue in a future release. https://www.elastic.co/community/security This issue did not affect the versions of rh-nodejs8-nodejs and rh-nodejs10-nodejs as shipped with Red Hat Software Collections. Whilst a vulnerable version of lodash has been included in ServiceMesh, the impact is lowered to Moderate due to the library not being directly accessible increasing the attack complexity and the fact that the attacker would need some existing access - meaning the vulnerability is not crossing a privilege boundary. Red Hat Quay imports lodash as a runtime dependency of restangular. The restangular function in use by Red Hat Quay do not use lodash to parse user input. This issue therefore rated moderate impact for Red Hat Quay.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | nodejs-lodash | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-kibana5 | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | nodejs-lodash | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | logging-kibana5-container | Will not fix | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Will not fix | ||
| Red Hat Software Collections | rh-nodejs10-nodejs | Not affected | ||
| Red Hat Software Collections | rh-nodejs8-nodejs | Not affected | ||
| Jaeger-1.17 | distributed-tracing/jaeger-all-in-one-rhel7 | Fixed | RHSA-2020:2819 | 06.07.2020 |
| Jaeger-1.17 | distributed-tracing/jaeger-query-rhel7 | Fixed | RHSA-2020:2819 | 06.07.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Poll ...
Уязвимость функции defaultsDeep библиотеки Lodash, позволяющая нарушителю вызвать отказ в обслуживании, выполнить произвольный JavaScript-код или повысить свои привилегии
EPSS
9.1 Critical
CVSS3