CVE-2020-8203 (High) detected in multiple libraries - autoclosed #14
Description
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.15.tgz, lodash-4.17.14.tgz, lodash-3.10.1.tgz
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Dependency Hierarchy:
- cli-8.1.0.tgz (Root Library)
- lint-8.3.5.tgz
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
- lint-8.3.5.tgz
lodash-4.17.14.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.14.tgz
Dependency Hierarchy:
- prompt-8.1.0.tgz (Root Library)
- ❌ lodash-4.17.14.tgz (Vulnerable Library)
lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Dependency Hierarchy:
- prompt-8.1.0.tgz (Root Library)
- vorpal-1.12.0.tgz
- inquirer-0.11.0.tgz
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
- inquirer-0.11.0.tgz
- vorpal-1.12.0.tgz
Found in HEAD commit: 36a9c5d28529109984de6fcc3d0a157d561dac4a
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@commitlint/cli): 8.2.0
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (@commitlint/prompt): 8.3.6
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (@commitlint/prompt): 14.2.0