{"containers": {"cna": {"affected": [{"product": "lodash", "vendor": "n/a", "versions": [{"status": "affected", "version": "Not Fixed"}]}], "descriptions": [{"lang": "en", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling (CWE-770)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:23:22", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/712065"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lodash/lodash/issues/4874"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8203", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "lodash", "version": {"version_data": [{"version_value": "Not Fixed"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Allocation of Resources Without Limits or Throttling (CWE-770)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/712065", "refsource": "MISC", "url": "https://hackerone.com/reports/712065"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://security.netapp.com/advisory/ntap-20200724-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200724-0006/"}, {"name": "https://github.com/lodash/lodash/issues/4874", "refsource": "MISC", "url": "https://github.com/lodash/lodash/issues/4874"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.214Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/712065"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lodash/lodash/issues/4874"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8203", "datePublished": "2020-07-15T16:10:27", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:56:28.214Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5320B76A-C335-4F3B-A589-73CC64033FFB", "versionEndExcluding": "4.17.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0CF9A061-2421-426D-9854-0A4E55B2961D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B72B735F-4E52-484A-9C2C-23E6E2070385", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8B36A1D4-F391-4EE3-9A65-0A10568795BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0275F820-40BE-47B8-B167-815A55DF578E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C8E145E-1DF0-4B18-B625-F04DF71F6ACF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "EABAFD73-150F-4DFE-B721-29EB4475D979", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "8A45D47B-3401-49CF-92EE-79D007D802A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "33605127-1352-4285-AE96-B51156B70613", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA7423C4-7016-429B-997F-61E7AEB8F696", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_liquidity_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7BC8689-5E87-43FE-ADE8-5907F581B08E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A8420D4-AAF1-44AA-BF28-48EE3ED310B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "2FB80AC5-35F2-4703-AD93-416B46972EEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "19DAAEFF-AB4A-4D0D-8C86-D2F2811B53B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "9E14324D-B9EE-4C06-ACC7-255189ED6300", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B185C1EA-71E6-4972-8637-08A33CC00841", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D1534C11-E3F5-49F3-8F8D-7C5C90951E69", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1111BCFD-E336-4B31-A87E-76C684AC6DE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", "matchCriteriaId": "790A89FD-6B86-49AE-9B4F-AE7262915E13", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E39D442D-1997-49AF-8B02-5640BE2A26CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC7DB86F-3FAA-43C1-9C44-7CC5FB34419E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "9C416FD3-2E2F-4BBC-BD5F-F896825883F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D886339E-EDB2-4879-BD54-1800E4CA9CAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_border_controller:cz8.4:*:*:*:*:*:*:*", "matchCriteriaId": "62A561CF-09BE-4EDB-AAB7-4B057C0B0E44", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_router:cz8.4:*:*:*:*:*:*:*", "matchCriteriaId": "ECF63433-30CC-4E0D-B66A-FD160111763B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F2BFCE3-D743-4AC6-8FEC-75CAF66BFB65", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.4:*:*:*:*:*:*:*", "matchCriteriaId": "B8D05530-BFC7-4652-B387-BC931F43AB5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "348EEE70-E114-4720-AAAF-E77DE5C9A2D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3DCDD73B-57B1-4580-B922-5662E3AC13B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:pcz3.3:*:*:*:*:*:*:*", "matchCriteriaId": "4B317147-064A-4786-B3D6-CDE1653E067E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "9722362B-027B-4311-8F3A-287AE1199019", "versionEndIncluding": "9.2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "301E7158-9090-467C-B3B4-30A8DB3B395D", "versionEndIncluding": "18.8.12", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBEFACB1-C8EA-492B-8F85-A564DB363C83", "versionEndIncluding": "19.12.11", "versionStartIncluding": "19.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6B70E72-B9FC-4E49-8EDD-29C7E14F5792", "versionEndIncluding": "20.12.7", "versionStartIncluding": "20.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20."}, {"lang": "es", "value": "Un ataque de contaminaci\u00f3n de prototipo cuando se utiliza _.zipObjectDeep en lodash versiones anteriores a 4.17.20"}], "id": "CVE-2020-8203", "lastModified": "2024-11-21T05:38:29.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-15T17:15:11.797", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/lodash/lodash/issues/4874"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/712065"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/lodash/lodash/issues/4874"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/712065"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200724-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-agent-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-all-in-one-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-collector-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-es-index-cleaner-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-es-rollover-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-ingester-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-query-rhel7:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3370", "cpe": "cpe:/a:redhat:jaeger:1.17::el7", "impact": "low", "package": "distributed-tracing/jaeger-rhel7-operator:1.17.6-1", "product_name": "Jaeger-1.17", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el7", "impact": "low", "package": "kiali-0:v1.12.10.redhat2-1.el7", "product_name": "Openshift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "low", "package": "ior-0:1.1.6-1.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "low", "package": "servicemesh-0:1.1.6-1.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "low", "package": "servicemesh-cni-0:1.1.6-1.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "low", "package": "servicemesh-grafana-0:6.4.3-13.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "low", "package": "servicemesh-operator-0:1.1.6-2.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:3369", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "impact": "low", "package": "servicemesh-prometheus-0:2.14.0-14.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:4298", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "impact": "low", "package": "openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-10-27T00:00:00Z"}, {"advisory": "RHSA-2021:3917", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-rhel8:v3.6.0-62", "product_name": "Red Hat Quay 3", "release_date": "2021-10-19T00:00:00Z"}, {"advisory": "RHSA-2020:5611", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "impact": "low", "package": "cockpit-ovirt-0:0.14.15-1.el8ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2020-12-17T00:00:00Z"}, {"advisory": "RHSA-2020:3807", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "impact": "low", "package": "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2020-09-23T00:00:00Z"}, {"advisory": "RHSA-2020:3807", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "impact": "low", "package": "ovirt-web-ui-0:1.6.4-1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2020-09-23T00:00:00Z"}, {"advisory": "RHSA-2020:5179", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "impact": "low", "package": "org.ovirt.engine-root-0:4.4.3.8-1", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2020-11-24T00:00:00Z"}], "bugzilla": {"description": "nodejs-lodash: prototype pollution in zipObjectDeep function", "id": "1857412", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857412"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability."], "name": "CVE-2020-8203", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Out of support scope", "impact": "low", "package_name": "jaeger", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "logging-kibana5-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-jenkins-agent-nodejs", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-prometheus", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Affected", "impact": "low", "package_name": "ovirt-engine-api-explorer", "product_name": "Red Hat Virtualization 4"}], "public_date": "2020-04-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8203\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8203\nhttps://hackerone.com/reports/712065\nhttps://www.npmjs.com/advisories/1523"], "statement": "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "threat_severity": "Moderate"}