Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15. Reference: https://hackerone.com/reports/712065
Upstream fix: https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
External References: https://hackerone.com/reports/712065 https://www.npmjs.com/advisories/1523
Changing the CVSS: AC:L -> AC:H To exploit this vulnerability the attacker must to zip object based on user-provided property arrays, which means somehow must to guess the array properties first.
Statement: In OpenShift ServiceMesh (OSSM), Red Hat OpenShift Jaeger (RHOSJ) and Red Hat OpenShift Container Platform (RHOCP), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low. Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-lodash library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future. Red Hat Virtualization uses vulnerable version of nodejs-lodash, however zipObjectDeep is not used, therefore the impact is low.
Created nodejs-lodash tracking bugs for this issue: Affects: epel-all [bug 1859861]
This issue has been addressed in the following products: Jaeger-1.17 Via RHSA-2020:3370 https://access.redhat.com/errata/RHSA-2020:3370
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Openshift Service Mesh 1.1 Via RHSA-2020:3369 https://access.redhat.com/errata/RHSA-2020:3369
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8203
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3807 https://access.redhat.com/errata/RHSA-2020:3807
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:5179 https://access.redhat.com/errata/RHSA-2020:5179
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2020:5611 https://access.redhat.com/errata/RHSA-2020:5611
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917