Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203 in cockpit-hq/cockpit

Valid

Reported on

Feb 20th 2023

Description

Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203

Proof of Concept

1) Go to https://localhost/Cockpit/modules/App/assets/vendor/lodash.js?ver=2.3.9-1676855050 and note that lodash version is 4.17.15
2) Go to https://localhost/Cockpit/
3) Open Web Devloper tools( Ctrl+Shift+I) using Firefox
4) Go to console 
5) Enter _.zipObjectDeep(['__proto__.z'],[123])
6) console.log(z) //123 will appear everywhere based on the poc reference

Impact

This vulnerability is capable of prototype pollution

References

CVE-2020-8203

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago

Joshua Chan modified the report

a month ago

We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago

Joshua Chan

commented a month ago

Researcher

Hi @maintainer, this finding is fixed based on the commit https://github.com/Cockpit-HQ/Cockpit/commit/690016208850f2d788ebc3c67884d4c692587eb8 9 hours ago, could this report be valid? Thank you.

Artur validated this vulnerability 23 days ago

Joshua Chan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Artur marked this as fixed in 2.4.0 with commit 690016 23 days ago

Artur has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 3rd 2023

Joshua Chan

commented 22 days ago

Researcher

Hi @admins, I think maintainer has assigned a cve for this? Thanks.

Ben Harvie

commented 22 days ago

Admin

The CVE will assign and publish when the vulnerability goes publish (Mar 2nd 2023), thanks!

Artur published this vulnerability 20 days ago

to join this conversation

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a month ago

Joshua Chan modified the report

a month ago

We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago

Joshua Chan

commented a month ago

Researcher

Hi @maintainer, this finding is fixed based on the commit https://github.com/Cockpit-HQ/Cockpit/commit/690016208850f2d788ebc3c67884d4c692587eb8 9 hours ago, could this report be valid? Thank you.

Artur validated this vulnerability 23 days ago

Joshua Chan has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Artur marked this as fixed in 2.4.0 with commit 690016 23 days ago

Artur has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 3rd 2023

Joshua Chan

commented 22 days ago

Researcher

Hi @admins, I think maintainer has assigned a cve for this? Thanks.

Ben Harvie

commented 22 days ago

Admin

The CVE will assign and publish when the vulnerability goes publish (Mar 2nd 2023), thanks!

Artur published this vulnerability 20 days ago

to join this conversation