CVE-2020-8203: Input Validation
First published: Mon Apr 27 2020(Updated: )
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kiali | <0:v1.12.10.redhat2-1.el7 | 0:v1.12.10.redhat2-1.el7 |
| redhat/ior | <0:1.1.6-1.el8 | 0:1.1.6-1.el8 |
| redhat/servicemesh | <0:1.1.6-1.el8 | 0:1.1.6-1.el8 |
| redhat/servicemesh-cni | <0:1.1.6-1.el8 | 0:1.1.6-1.el8 |
| redhat/servicemesh-grafana | <0:6.4.3-13.el8 | 0:6.4.3-13.el8 |
| redhat/servicemesh-operator | <0:1.1.6-2.el8 | 0:1.1.6-2.el8 |
| redhat/servicemesh-prometheus | <0:2.14.0-14.el8 | 0:2.14.0-14.el8 |
| redhat/cockpit-ovirt | <0:0.14.15-1.el8e | 0:0.14.15-1.el8e |
| redhat/ovirt-engine-ui-extensions | <0:1.2.3-1.el8e | 0:1.2.3-1.el8e |
| redhat/ovirt-web-ui | <0:1.6.4-1.el8e | 0:1.6.4-1.el8e |
| redhat/nodejs-lodash | <4.17.16 | 4.17.16 |
| npm/lodash.updatewith | <=4.10.2 | |
| npm/lodash.update | <=4.10.2 | |
| npm/lodash.setwith | <=4.3.2 | |
| npm/lodash.set | >=3.7.0<=4.3.2 | |
| npm/lodash.pick | >=4.0.0<=4.4.0 | |
| npm/lodash-es | >=3.7.0<4.17.20 | 4.17.20 |
| npm/lodash | >=3.7.0<4.17.19 | 4.17.19 |
| Lodash Lodash Node.js | <4.17.20 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Extensibility Workbench | =14.2.0 | |
| Oracle Banking Extensibility Workbench | =14.3.0 | |
| Oracle Banking Extensibility Workbench | =14.5.0 | |
| Oracle Banking Liquidity Management | =14.2.0 | |
| Oracle Banking Liquidity Management | =14.3.0 | |
| Oracle Banking Liquidity Management | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Supply Chain Finance | =14.3.0 | |
| Oracle Banking Supply Chain Finance | =14.5.0 | |
| Oracle Banking Trade Finance Process Management | =14.2.0 | |
| Oracle Banking Trade Finance Process Management | =14.3.0 | |
| Oracle Banking Trade Finance Process Management | =14.5.0 | |
| Oracle Banking Virtual Account Management | =14.2.0 | |
| Oracle Banking Virtual Account Management | =14.3.0 | |
| Oracle Banking Virtual Account Management | =14.5.0 | |
| oracle blockchain platform | <21.1.2 | |
| Oracle Communications Billing and Revenue Management | =7.5.0.23.0 | |
| Oracle Communications Billing and Revenue Management | =12.0.0.3.0 | |
| oracle communications Cloud native core policy | =1.11.0 | |
| Oracle Communications Session Border Controller | =8.4 | |
| Oracle Communications Session Border Controller | =9.0 | |
| Oracle Communications Session Border Controller | =cz8.4 | |
| oracle communications session router | =cz8.4 | |
| oracle communications subscriber-aware load balancer | =cz8.3 | |
| oracle communications subscriber-aware load balancer | =cz8.4 | |
| Oracle Enterprise Communications Broker | =3.2.0 | |
| Oracle Enterprise Communications Broker | =3.3.0 | |
| Oracle Enterprise Communications Broker | =pcz3.3 | |
| Oracle JD Edwards EnterpriseOne Tools | <=9.2.6.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| oracle primavera gateway | >=17.12.0<=17.12.11 | |
| oracle primavera gateway | >=18.8.0<=18.8.12 | |
| oracle primavera gateway | >=19.12.0<=19.12.11 | |
| oracle primavera gateway | >=20.12.0<=20.12.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-8203 https://nvd.nist.gov/vuln/detail/CVE-2020-8203 https://hackerone.com/reports/712065 https://www.npmjs.com/advisories/1523
- https://bugzilla.redhat.com/show_bug.cgi?id=1857412
- https://access.redhat.com/errata/RHSA-2020:3369
- https://access.redhat.com/errata/RHSA-2020:4298
- https://access.redhat.com/errata/RHSA-2021:3917
- https://access.redhat.com/errata/RHSA-2020:5611
- https://access.redhat.com/errata/RHSA-2020:3807
- https://access.redhat.com/errata/RHSA-2020:5179
- https://access.redhat.com/security/cve/cve-2020-8203
- https://hackerone.com/reports/712065
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://www.npmjs.com/advisories/1523
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1859861
- https://access.redhat.com/errata/RHSA-2020:3370
- https://github.com/lodash/lodash/issues/4744
- https://nvd.nist.gov/vuln/detail/CVE-2020-8203
- https://github.com/lodash/lodash/issues/4874
- https://github.com/github/advisory-database/pull/2884
- https://hackerone.com/reports/864701
- https://github.com/lodash/lodash/wiki/Changelog#v41719
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://security.netapp.com/advisory/ntap-20200724-0006/
- https://github.com/advisories/GHSA-p6mc-m468-83gw (Advisory)
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/183560
- https://www.ibm.com/support/pages/node/6356539 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-8203?
CVE-2020-8203 is a vulnerability caused by a prototype pollution attack in the lodash module before version 4.17.20.
What is the severity of CVE-2020-8203?
CVE-2020-8203 has a severity keyword of 'high' and a severity value of 7.
How can I exploit CVE-2020-8203?
To exploit CVE-2020-8203, a remote attacker can use the merge, mergeWith, and defaultsDeep functions in lodash to inject properties onto Object.prototype and potentially crash the server or execute arbitrary code.
How do I fix CVE-2020-8203?
To fix CVE-2020-8203, update the lodash module to version 4.17.20 or newer.
Where can I find more information about CVE-2020-8203?
You can find more information about CVE-2020-8203 at the following references: [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/vulnerabilities/183560), [IBM Support](https://www.ibm.com/support/pages/node/6570957), [CVE](https://www.cve.org/CVERecord?id=CVE-2020-8203), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-8203), [HackerOne](https://hackerone.com/reports/712065), [npmjs](https://www.npmjs.com/advisories/1523).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8203
- agent/software-canonical-lookup
- agent/author
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p6mc-m468-83gw
- collector/github-advisory
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- package-manager/redhat
- package-manager/npm
- vendor/lodash
- canonical/lodash lodash node.js
- vendor/oracle
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking extensibility workbench
- version/oracle banking extensibility workbench/14.2.0
- version/oracle banking extensibility workbench/14.3.0
- version/oracle banking extensibility workbench/14.5.0
- canonical/oracle banking liquidity management
- version/oracle banking liquidity management/14.2.0
- version/oracle banking liquidity management/14.3.0
- version/oracle banking liquidity management/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- version/oracle banking supply chain finance/14.3.0
- version/oracle banking supply chain finance/14.5.0
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.2.0
- version/oracle banking trade finance process management/14.3.0
- version/oracle banking trade finance process management/14.5.0
- canonical/oracle banking virtual account management
- version/oracle banking virtual account management/14.2.0
- version/oracle banking virtual account management/14.3.0
- version/oracle banking virtual account management/14.5.0
- canonical/oracle blockchain platform
- canonical/oracle communications billing and revenue management
- version/oracle communications billing and revenue management/7.5.0.23.0
- version/oracle communications billing and revenue management/12.0.0.3.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.11.0
- canonical/oracle communications session border controller
- version/oracle communications session border controller/8.4
- version/oracle communications session border controller/9.0
- version/oracle communications session border controller/cz8.4
- canonical/oracle communications session router
- version/oracle communications session router/cz8.4
- canonical/oracle communications subscriber-aware load balancer
- version/oracle communications subscriber-aware load balancer/cz8.3
- version/oracle communications subscriber-aware load balancer/cz8.4
- canonical/oracle enterprise communications broker
- version/oracle enterprise communications broker/3.2.0
- version/oracle enterprise communications broker/3.3.0
- version/oracle enterprise communications broker/pcz3.3
- canonical/oracle jd edwards enterpriseone tools
- version/oracle jd edwards enterpriseone tools/9.2.6.0
- canonical/oracle peoplesoft enterprise pt peopletools
- version/oracle peoplesoft enterprise pt peopletools/8.58
- version/oracle peoplesoft enterprise pt peopletools/8.59
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.11
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.12
- version/oracle primavera gateway/19.12.0
- version/oracle primavera gateway/19.12.11
- version/oracle primavera gateway/20.12.0
- version/oracle primavera gateway/20.12.7