{ "threat_severity" : "Moderate", "public_date" : "2021-02-15T00:00:00Z", "bugzilla" : { "description" : "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "id" : "1928954", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1928954" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", "A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible." ], "statement" : "In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\nWhile Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable toNumber, trim, or trimEnd functions.\nWhile Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions.", "affected_release" : [ { "product_name" : "Red Hat Migration Toolkit for Containers 1.7", "release_date" : "2022-09-13T00:00:00Z", "advisory" : "RHSA-2022:6429", "cpe" : "cpe:/a:redhat:rhmt:1.7::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.7.4-12" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-grafana:v4.8.0-202106291913.p0.git.b987e4b.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-prometheus:v4.8.0-202106291913.p0.git.f3beb88.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-thanos-rhel8:v4.8.0-202106291913.p0.git.c358e96.assembly.stream" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-all-in-one-rhel8:1.20.4-18" }, { "product_name" : "Red Hat OpenShift Jaeger 1.20", "release_date" : "2021-06-24T00:00:00Z", "advisory" : "RHSA-2021:2543", "cpe" : "cpe:/a:redhat:jaeger:1.20::el8", "package" : "distributed-tracing/jaeger-query-rhel8:1.20.4-18" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date" : "2021-09-08T00:00:00Z", "advisory" : "RHSA-2021:3459", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package" : "cockpit-ovirt-0:0.15.1-2.el8ev" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2021-06-01T00:00:00Z", "advisory" : "RHSA-2021:2179", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-engine-ui-extensions-0:1.2.6-1.el8ev" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2021-06-01T00:00:00Z", "advisory" : "RHSA-2021:2179", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-web-ui-0:1.6.9-1.el8ev" } ], "package_state" : [ { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "application-ui", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "console-api", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "console-header", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "console-ui", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "grc-ui", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "grc-ui-api", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "kui-web-terminal", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "mcm-topology", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "mcm-topology-api", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "search-api", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Not affected", "package_name" : "lodash", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "lodash", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "golang-github-prometheus-promu", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-logging-kibana6", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-thanos-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "rhel8/grafana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "lodash", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-28500\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28500\nhttps://snyk.io/vuln/SNYK-JS-LODASH-1018905" ], "name" : "CVE-2020-28500", "csaw" : false }