{ "threat_severity" : "Important", "public_date" : "2019-08-09T00:00:00Z", "bugzilla" : { "description" : "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "id" : "1739497", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1739497" }, "cvss3" : { "cvss3_base_score" : "9.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences." ], "statement" : "The lodash dependency is included in OpenShift Container Platform (OCP) by Kibana in the aggregated logging stack. Elastic have issued a security advisory (ESA-2019-10) for Kibana for this vulnerability, and in that advisory stated that no exploit vectors had been identified in Kibana. Therefore we rate this issue as moderate for OCP and may fix this issue in a future release.\nhttps://www.elastic.co/community/security\nThis issue did not affect the versions of rh-nodejs8-nodejs and rh-nodejs10-nodejs as shipped with Red Hat Software Collections.\nWhilst a vulnerable version of lodash has been included in ServiceMesh, the impact is lowered to Moderate due to the library not being directly accessible increasing the attack complexity and the fact that the attacker would need some existing access - meaning the vulnerability is not crossing a privilege boundary.\nRed Hat Quay imports lodash as a runtime dependency of restangular. The restangular function in use by Red Hat Quay do not use lodash to parse user input. This issue therefore rated moderate impact for Red Hat Quay.", "affected_release" : [ { "product_name" : "Jaeger-1.17", "release_date" : "2020-07-06T00:00:00Z", "advisory" : "RHSA-2020:2819", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-all-in-one-rhel7:1.17.2-3", "impact" : "moderate" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-07-06T00:00:00Z", "advisory" : "RHSA-2020:2819", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-query-rhel7:1.17.2-3", "impact" : "moderate" }, { "product_name" : "Openshift Service Mesh 1.0", "release_date" : "2020-06-02T00:00:00Z", "advisory" : "RHSA-2020:2362", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el7", "package" : "jaeger-0:v1.13.1.redhat7-1.el7", "impact" : "moderate" }, { "product_name" : "Openshift Service Mesh 1.0", "release_date" : "2020-06-02T00:00:00Z", "advisory" : "RHSA-2020:2362", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el7", "package" : "kiali-0:v1.0.11.redhat1-1.el7", "impact" : "moderate" }, { "product_name" : "OpenShift Service Mesh 1.0", "release_date" : "2020-06-02T00:00:00Z", "advisory" : "RHSA-2020:2362", "cpe" : "cpe:/a:redhat:service_mesh:1.0::el8", "package" : "servicemesh-grafana-0:6.2.2-36.el8", "impact" : "moderate" }, { "product_name" : "Red Hat AMQ 7.10.0", "release_date" : "2022-06-16T00:00:00Z", "advisory" : "RHSA-2022:5101", "cpe" : "cpe:/a:redhat:amq_broker:7", "package" : "nodejs-lodash", "impact" : "low" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "nodejs-lodash", "impact" : "low" }, { "product_name" : "Red Hat Virtualization Engine 4.3", "release_date" : "2019-10-10T00:00:00Z", "advisory" : "RHSA-2019:3024", "cpe" : "cpe:/a:redhat:rhev_manager:4.3", "package" : "ovirt-web-ui-0:1.6.0-1.el7ev", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Fix deferred", "package_name" : "nodejs-lodash", "cpe" : "cpe:/a:redhat:openshift:3.10", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "openshift3/ose-logging-kibana5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Fix deferred", "package_name" : "nodejs-lodash", "cpe" : "cpe:/a:redhat:openshift:3.9", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "logging-kibana5-container", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-nodejs10-nodejs", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-nodejs8-nodejs", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10744\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10744" ], "name" : "CVE-2019-10744", "csaw" : false }