{ "threat_severity" : "Moderate", "public_date" : "2020-04-27T00:00:00Z", "bugzilla" : { "description" : "nodejs-lodash: prototype pollution in zipObjectDeep function", "id" : "1857412", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1857412" }, "cvss3" : { "cvss3_base_score" : "7.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability." ], "statement" : "In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\nRed Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.", "affected_release" : [ { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-agent-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-all-in-one-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-collector-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-es-index-cleaner-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-es-rollover-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-ingester-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-query-rhel7:1.17.6-1", "impact" : "low" }, { "product_name" : "Jaeger-1.17", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3370", "cpe" : "cpe:/a:redhat:jaeger:1.17::el7", "package" : "distributed-tracing/jaeger-rhel7-operator:1.17.6-1", "impact" : "low" }, { "product_name" : "Openshift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el7", "package" : "kiali-0:v1.12.10.redhat2-1.el7", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "ior-0:1.1.6-1.el8", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "servicemesh-0:1.1.6-1.el8", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "servicemesh-cni-0:1.1.6-1.el8", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "servicemesh-grafana-0:6.4.3-13.el8", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "servicemesh-operator-0:1.1.6-2.el8", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 1.1", "release_date" : "2020-08-06T00:00:00Z", "advisory" : "RHSA-2020:3369", "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8", "package" : "servicemesh-prometheus-0:2.14.0-14.el8", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2020-10-27T00:00:00Z", "advisory" : "RHSA-2020:4298", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-metering-presto:v4.6.0-202010200139.p0", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-10-19T00:00:00Z", "advisory" : "RHSA-2021:3917", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-rhel8:v3.6.0-62" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date" : "2020-12-17T00:00:00Z", "advisory" : "RHSA-2020:5611", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package" : "cockpit-ovirt-0:0.14.15-1.el8ev", "impact" : "low" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3807", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-engine-ui-extensions-0:1.2.3-1.el8ev", "impact" : "low" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2020-09-23T00:00:00Z", "advisory" : "RHSA-2020:3807", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-web-ui-0:1.6.4-1.el8ev", "impact" : "low" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2020-11-24T00:00:00Z", "advisory" : "RHSA-2020:5179", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "org.ovirt.engine-root-0:4.4.3.8-1", "impact" : "low" } ], "package_state" : [ { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Out of support scope", "package_name" : "jaeger", "cpe" : "cpe:/a:redhat:service_mesh:1", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "openshift3/grafana", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Fix deferred", "package_name" : "openshift3/ose-console", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "logging-kibana5-container", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-jenkins-agent-nodejs", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-prometheus", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Affected", "package_name" : "ovirt-engine-api-explorer", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8203\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8203\nhttps://hackerone.com/reports/712065\nhttps://www.npmjs.com/advisories/1523" ], "name" : "CVE-2020-8203", "csaw" : false }