Vulnerability Name:

CVE-2020-8203 (CCN-183560)

Assigned:2020-04-27
Published:2020-04-27
Updated:2022-05-12
Summary:Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
CVSS v3 Severity:7.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-1321
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-8203

Source: XF
Type: UNKNOWN
nodejs-lodash-dos(183560)

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://github.com/lodash/lodash/issues/4874

Source: CCN
Type: Hackerone #712065
Prototype pollution attack (lodash)

Source: MISC
Type: Exploit, Third Party Advisory
https://hackerone.com/reports/712065

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20200724-0006/

Source: CCN
Type: IBM Security Bulletin 6250521 (Watson Machine Learning Community Edition)
WML CE: TensorBoard: Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack.

Source: CCN
Type: IBM Security Bulletin 6257797 (Event Streams)
IBM Event Streams is affected by multiple Node.js vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6323247 (ICP Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js modules

Source: CCN
Type: IBM Security Bulletin 6333015 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by a Node.js lodash module vulnerability.

Source: CCN
Type: IBM Security Bulletin 6338463 (Cloud Private)
IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560)

Source: CCN
Type: IBM Security Bulletin 6338477 (Event Streams)
IBM Event Streams is affected by a Node.js http-proxy and lodash module vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6339121 (Cloud Event Management)
Version 4.17.15 of Node.js module lodash included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability

Source: CCN
Type: IBM Security Bulletin 6340291 (Cloud Pak for Data)
Security Vulnerabilities affect IBM Cloud Pak for Data - Node.js (CVE-2020-8203)

Source: CCN
Type: IBM Security Bulletin 6344315 (Integration Bus)
Vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11

Source: CCN
Type: IBM Security Bulletin 6350653 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Infrastructure Management.

Source: CCN
Type: IBM Security Bulletin 6356539 (Planning Analytics Local)
Multiple vulnerabilities affect IBM Planning Analytics

Source: CCN
Type: IBM Security Bulletin 6367943 (Spectrum Protect Plus)
Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6373630 (Streams Designer)
Node.js module upgrade for IBM Cloud Pak for Data Streams Flows

Source: CCN
Type: IBM Security Bulletin 6378002 (Watson Developer Cloud)
Potential vulnerability with Node.js lodash module

Source: CCN
Type: IBM Security Bulletin 6379558 (Netezza for Cloud Pak for Data)
OSS security Scan issues for Concerto installer.

Source: CCN
Type: IBM Security Bulletin 6382126 (Netezza for Cloud Pak for Data)
OSS scan fixes for Content pos

Source: CCN
Type: IBM Security Bulletin 6382128 (Netezza for Cloud Pak for Data)
Open Source Security issues for NPS console.

Source: CCN
Type: IBM Security Bulletin 6382856 (License Metric Tool)
A vulnerability in JavaScript affects IBM License Metric Tool v9 (CVE-2020-8203).

Source: CCN
Type: IBM Security Bulletin 6403463 (Security Guardium Insights)
IBM Security Guardium Insights is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6483681 (API Connect)
IBM API Connect is impacted by multiple vulnerabilities in Drupal dated modernizr library

Source: CCN
Type: IBM Security Bulletin 6524700 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6568787 (Cloud Pak for Security)
Cloud Pak for Security contains packages that have multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6574021 (Process Mining)
Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6598689 (Tivoli Netcool/OMNIbus WebGUI)
Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)

Source: CCN
Type: IBM Security Bulletin 6602299 (UrbanCode Velocity)
CVE-2020-8203

Source: CCN
Type: IBM Security Bulletin 6602301 (UrbanCode Velocity)
CVE-2020-8203

Source: CCN
Type: IBM Security Bulletin 6612727 (Cloud Pak System Software)
Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6830017 (QRadar Pulse App)
QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6838293 (QRadar Assistant)
IBM QRadar Assistant app for IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6966416 (Engineering Workflow Management)
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203

Source: CCN
Type: NPM Web site
lodash

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:lodash:lodash:*:*:*:*:*:node.js:*:* (Version < 4.17.20)

    • Configuration 2:
  • cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_border_controller:cz8.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_router:cz8.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_subscriber-aware_load_balancer:cz8.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_subscriber-aware_load_balancer:cz8.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_communications_broker:pcz3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 17.12.0 and <= 17.12.11)
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 18.8.0 and <= 18.8.12)
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 19.12.0 and <= 19.12.11)
  • OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 20.12.0 and <= 20.12.7)
  • OR cpe:/a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_liquidity_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_liquidity_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_liquidity_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:blockchain_platform:*:*:*:*:*:*:*:* (Version < 21.1.2)
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version <= 9.2.6.0)

    • Configuration CCN 1:
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:event_streams:2018.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:2019.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_machine_learning:1.6.2:*:community:*:*:*:*:*
  • OR cpe:/a:ibm:watson_developer_cloud:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_data:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:2019.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_developer_cloud:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_machine_learning:1.7.0:*:community:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:2019.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:11.0.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_data:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.21:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_local:2.0.9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams_designer:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams_designer:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams_designer:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_insights:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:2018.4.1.16:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/omnibus_webgui:8.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    lodash lodash *
    oracle peoplesoft enterprise peopletools 8.58
    oracle communications billing and revenue management 12.0.0.3.0
    oracle communications billing and revenue management 7.5.0.23.0
    oracle enterprise communications broker 3.2.0
    oracle banking extensibility workbench 14.3.0
    oracle banking virtual account management 14.3.0
    oracle banking trade finance process management 14.3.0
    oracle banking credit facilities process management 14.3.0
    oracle banking corporate lending process management 14.3.0
    oracle peoplesoft enterprise peopletools 8.59
    oracle banking corporate lending process management 14.2.0
    oracle banking corporate lending process management 14.5.0
    oracle banking credit facilities process management 14.2.0
    oracle banking credit facilities process management 14.5.0
    oracle banking supply chain finance 14.2.0
    oracle banking supply chain finance 14.5.0
    oracle banking trade finance process management 14.5.0
    oracle banking virtual account management 14.2.0
    oracle banking virtual account management 14.5.0
    oracle communications session border controller 8.4
    oracle communications session border controller 9.0
    oracle communications session border controller cz8.4
    oracle communications session router cz8.4
    oracle communications subscriber-aware load balancer cz8.3
    oracle communications subscriber-aware load balancer cz8.4
    oracle enterprise communications broker pcz3.3
    oracle primavera gateway *
    oracle primavera gateway *
    oracle primavera gateway *
    oracle primavera gateway *
    oracle banking extensibility workbench 14.2.0
    oracle banking extensibility workbench 14.5.0
    oracle banking liquidity management 14.2.0
    oracle banking liquidity management 14.3.0
    oracle banking liquidity management 14.5.0
    oracle banking supply chain finance 14.3.0
    oracle banking trade finance process management 14.2.0
    oracle blockchain platform *
    oracle communications cloud native core policy 1.11.0
    oracle enterprise communications broker 3.3.0
    oracle jd edwards enterpriseone tools *
    ibm spectrum protect plus 10.1.0
    ibm integration bus 10.0.0
    ibm app connect 11
    ibm app connect 11.0.0.0
    ibm event streams 2018.3.0
    ibm mobilefirst platform foundation 8.0.0
    ibm event streams 2019.2.1
    ibm api connect 2018.4.1.0
    ibm watson machine learning 1.6.2
    ibm watson developer cloud 1.4.0
    ibm cloud pak for data 2.5
    ibm cloud private 3.2.1 cd
    ibm event streams 2019.4.1
    ibm watson developer cloud 1.4.1
    ibm watson machine learning 1.7.0
    ibm spectrum protect plus 10.1.6
    ibm event streams 2019.4.2
    ibm cloud private 3.2.2 cd
    ibm cloud transformation advisor 2.1.1
    ibm cloud transformation advisor 2.2.0
    ibm app connect enterprise 11.0.0.9
    ibm cloud pak for data 3.0
    ibm api connect 10.0.0.0
    ibm integration bus 10.0.0.21
    ibm planning analytics local 2.0.9.2
    ibm streams designer 2.5
    ibm streams designer 3.0
    ibm streams designer 3.0.1
    ibm engineering workflow management 7.0.1
    ibm security guardium insights 2.0.2
    ibm engineering workflow management 7.0.2
    ibm api connect 2018.4.1.16
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7
    ibm cognos analytics 11.2.1
    ibm planning analytics workspace 2.0
    ibm tivoli netcool/omnibus webgui 8.1.0