Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203 in cockpit-hq/cockpit

Valid

Reported on

Feb 20th 2023


Description

Lodash 4.17.15 in use which is vulnerable to CVE-2020-8203

Proof of Concept

1) Go to https://localhost/Cockpit/modules/App/assets/vendor/lodash.js?ver=2.3.9-1676855050 and note that lodash version is 4.17.15
2) Go to https://localhost/Cockpit/
3) Open Web Devloper tools( Ctrl+Shift+I) using Firefox
4) Go to console 
5) Enter _.zipObjectDeep(['__proto__.z'],[123])
6) console.log(z) //123 will appear everywhere based on the poc reference 

Impact

This vulnerability is capable of prototype pollution

References

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. 3 months ago
Joshua Chan modified the report
3 months ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back 3 months ago
Joshua Chan
3 months ago

Researcher


Hi @maintainer, this finding is fixed based on the commit https://github.com/Cockpit-HQ/Cockpit/commit/690016208850f2d788ebc3c67884d4c692587eb8 9 hours ago, could this report be valid? Thank you.

Artur validated this vulnerability 2 months ago
Joshua Chan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.4.0 with commit 690016 2 months ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 3rd 2023
Joshua Chan
2 months ago

Researcher


Hi @admins, I think maintainer has assigned a cve for this? Thanks.

Ben Harvie
2 months ago

Admin


The CVE will assign and publish when the vulnerability goes publish (Mar 2nd 2023), thanks!

Artur published this vulnerability 2 months ago
to join this conversation