Описание
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables.
Отчет
In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low. While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable template function. While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable template function.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2.0 | kiali | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-api-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-header-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-ui-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/grc-ui-api-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/grc-ui-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/mcm-topology-api-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/mcm-topology-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
7.2 High
CVSS3
Связанные уязвимости
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Lodash versions prior to 4.17.21 are vulnerable to Command Injection v ...
Уязвимость библиотеки lodash прикладного программного обеспечения Аврора Центр, связанная с непринятием мер по нейтрализации специальных элементов, используемых в команде операционной системы, позволяющая нарушителю выполнить произвольную команду
7.2 High
CVSS3