Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-8203

Опубликовано: 27 апр. 2020
Источник: redhat
CVSS3: 7.4
EPSS Низкий

Описание

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.

Отчет

In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low. Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future. Red Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1jaegerOut of support scope
Red Hat OpenShift Container Platform 3.11kibanaWill not fix
Red Hat OpenShift Container Platform 3.11openshift3/grafanaFix deferred
Red Hat OpenShift Container Platform 3.11openshift3/ose-consoleFix deferred
Red Hat OpenShift Container Platform 4kibanaWill not fix
Red Hat OpenShift Container Platform 4logging-kibana5-containerFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-consoleFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-jenkins-agent-nodejsNot affected
Red Hat OpenShift Container Platform 4openshift4/ose-metering-hadoopFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1857412nodejs-lodash: prototype pollution in zipObjectDeep function

EPSS

Процентиль: 87%
0.03276
Низкий

7.4 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-8203

CVSS3: 7.4
ubuntu
почти 5 лет назад

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

nvd логотип

CVE-2020-8203

CVSS3: 7.4
nvd
почти 5 лет назад

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

debian логотип

CVE-2020-8203

CVSS3: 7.4
debian
почти 5 лет назад

Prototype pollution attack when using _.zipObjectDeep in lodash before ...

github логотип

GHSA-p6mc-m468-83gw

CVSS3: 7.4
github
почти 5 лет назад

Prototype Pollution in lodash

fstec логотип

BDU:2021-02443

CVSS3: 7.4
fstec
около 5 лет назад

Уязвимость реализации метода _.zipObjectDeep() библиотеки Lodash, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код

EPSS

Процентиль: 87%
0.03276
Низкий

7.4 High

CVSS3