CVE-2020-8203 - Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02615.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

lodash

affected

Version	Status	Constraints
`Not Fixed`	affected	—

Configuration 1 [-]

cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_liquidity_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_liquidity_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_liquidity_management:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:::::::*
	cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:::::::*
	cpe:2.3:a:oracle:blockchain_platform::::::::
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:::::::*
	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:::::::*
	cpe:2.3:a:oracle:communications_session_border_controller:8.4:::::::*
	cpe:2.3:a:oracle:communications_session_border_controller:9.0:::::::*
	cpe:2.3:a:oracle:communications_session_border_controller:cz8.4:::::::*
	cpe:2.3:a:oracle:communications_session_router:cz8.4:::::::*
	cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.3:::::::*
	cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.4:::::::*
	cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:::::::*
	cpe:2.3:a:oracle:enterprise_communications_broker:pcz3.3:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::

Package	CPE	Advisory	Released Date
Jaeger-1.17
distributed-tracing/jaeger-agent-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-all-in-one-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-collector-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-es-index-cleaner-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-es-rollover-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-ingester-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-query-rhel7:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
distributed-tracing/jaeger-rhel7-operator:1.17.6-1	cpe:/a:redhat:jaeger:1.17::el7	RHSA-2020:3370	2020-08-06T00:00:00Z
Openshift Service Mesh 1.1
kiali-0:v1.12.10.redhat2-1.el7	cpe:/a:redhat:service_mesh:1.1::el7	RHSA-2020:3369	2020-08-06T00:00:00Z
OpenShift Service Mesh 1.1
ior-0:1.1.6-1.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:3369	2020-08-06T00:00:00Z
servicemesh-0:1.1.6-1.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:3369	2020-08-06T00:00:00Z
servicemesh-cni-0:1.1.6-1.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:3369	2020-08-06T00:00:00Z
servicemesh-grafana-0:6.4.3-13.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:3369	2020-08-06T00:00:00Z
servicemesh-operator-0:1.1.6-2.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:3369	2020-08-06T00:00:00Z
servicemesh-prometheus-0:2.14.0-14.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:3369	2020-08-06T00:00:00Z
Red Hat OpenShift Container Platform 4.6
openshift4/ose-metering-presto:v4.6.0-202010200139.p0	cpe:/a:redhat:openshift:4.6::el8	RHSA-2020:4298	2020-10-27T00:00:00Z
Red Hat Quay 3
quay/quay-rhel8:v3.6.0-62	cpe:/a:redhat:quay:3::el8	RHSA-2021:3917	2021-10-19T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
cockpit-ovirt-0:0.14.15-1.el8ev	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2020:5611	2020-12-17T00:00:00Z
Red Hat Virtualization Engine 4.4
ovirt-engine-ui-extensions-0:1.2.3-1.el8ev	cpe:/a:redhat:rhev_manager:4.4:el8	RHSA-2020:3807	2020-09-23T00:00:00Z
ovirt-web-ui-0:1.6.4-1.el8ev	cpe:/a:redhat:rhev_manager:4.4:el8	RHSA-2020:3807	2020-09-23T00:00:00Z
org.ovirt.engine-root-0:4.4.3.8-1	cpe:/a:redhat:rhev_manager:4.4:el8	RHSA-2020:5179	2020-11-24T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Lodash Subscribe	Lodash Subscribe
Oracle Subscribe	Banking Corporate Lending Process Management Subscribe Banking Credit Facilities Process Management Subscribe Banking Extensibility Workbench Subscribe Banking Liquidity Management Subscribe Banking Supply Chain Finance Subscribe Banking Trade Finance Process Management Subscribe Banking Virtual Account Management Subscribe Blockchain Platform Subscribe Communications Billing And Revenue Management Subscribe Communications Cloud Native Core Policy Subscribe Communications Session Border Controller Subscribe Communications Session Router Subscribe Communications Subscriber-aware Load Balancer Subscribe Enterprise Communications Broker Subscribe Jd Edwards Enterpriseone Tools Subscribe Peoplesoft Enterprise Peopletools Subscribe Primavera Gateway Subscribe
Redhat Subscribe	Jaeger Subscribe Openshift Subscribe Quay Subscribe Rhev Hypervisor Subscribe Rhev Manager Subscribe Service Mesh Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-p6mc-m468-83gw	Prototype Pollution in lodash

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/lodash/lodash/issues/4874
https://hackerone.com/reports/712065
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
https://security.netapp.com/advisory/ntap-20200724-0006/
https://www.cve.org/CVERecord?id=CVE-2020-8203
https://www.npmjs.com/advisories/1523
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2020-07-15T16:10:27

Updated: 2024-08-04T09:56:28.214Z

Reserved: 2020-01-28T00:00:00

Link: CVE-2020-8203

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-07-15T17:15:11.797

Modified: 2024-11-21T05:38:29.790

Link: CVE-2020-8203

Redhat

Severity : Moderate

Publid Date: 2020-04-27T00:00:00Z

Links: CVE-2020-8203 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object