CVE-2020-8203

high-risk
Published 2020-07-15

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Do I need to act?

~
3.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
NETWORK / HIGH complexity

Affected Products (20)

Lodash
Banking Liquidity Management
Banking Liquidity Management
Banking Liquidity Management

Affected Vendors

Oracle Lodash

References (16)

Issue Tracking https://github.com/lodash/lodash/issues/4874
Exploit https://hackerone.com/reports/712065
Third Party Advisory https://security.netapp.com/advisory/ntap-20200724-0006/
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://www.oracle.com/security-alerts/cpuApr2021.html
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpujan2022.html
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
Issue Tracking https://github.com/lodash/lodash/issues/4874
Exploit https://hackerone.com/reports/712065
Third Party Advisory https://security.netapp.com/advisory/ntap-20200724-0006/
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://www.oracle.com/security-alerts/cpuApr2021.html
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpujan2022.html
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
53
/ 100
high-risk
Severity 22/34 · High
Exploitability 7/34 · Low
Exposure 24/34 · High