Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-28500

Опубликовано: 15 фев. 2021
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible.

Отчет

In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low. While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable toNumber, trim, or trimEnd functions. While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2.0kialiAffected
OpenShift Service Mesh 2.0servicemesh-grafanaAffected
OpenShift Service Mesh 2.0servicemesh-prometheusAffected
Red Hat Advanced Cluster Management for Kubernetes 2console-apiAffected
Red Hat Advanced Cluster Management for Kubernetes 2console-headerNot affected
Red Hat Advanced Cluster Management for Kubernetes 2console-uiNot affected
Red Hat Advanced Cluster Management for Kubernetes 2grc-uiNot affected
Red Hat Advanced Cluster Management for Kubernetes 2grc-ui-apiNot affected
Red Hat Advanced Cluster Management for Kubernetes 2kui-web-terminalAffected
Red Hat Advanced Cluster Management for Kubernetes 2mcm-topologyNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1928954nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions

EPSS

Процентиль: 43%
0.00202
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-28500

CVSS3: 5.3
ubuntu
больше 4 лет назад

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

nvd логотип

CVE-2020-28500

CVSS3: 5.3
nvd
больше 4 лет назад

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

debian логотип

CVE-2020-28500

CVSS3: 5.3
debian
больше 4 лет назад

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression ...

github логотип

GHSA-29mw-wpgm-hmr9

CVSS3: 5.3
github
больше 3 лет назад

Regular Expression Denial of Service (ReDoS) in lodash

fstec логотип

BDU:2021-02880

CVSS3: 7.3
fstec
около 4 лет назад

Уязвимость функций toNumber, trim и trimEnd библиотеки lodash прикладного программного обеспечения Аврора Центр, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 43%
0.00202
Низкий

5.3 Medium

CVSS3