[NAS-109598] Vulenribilty found in Web UI - iX - Bug Tracker (Jira)

XML

Word

Printable

Details

Type: Bug
Status: Done (View Workflow)
Priority: Low
Resolution: Complete
Affects Version/s: 12.0-U2.1
Fix Version/s: SCALE-21.04-ALPHA.1 (Angelfish), 12.0-U3
Component/s: System, WebUI
Labels:

Impact:
Low

Description

Current Netsparker scan shows Critial out of date version of Lodash in current version of TrueNAS

Netsparker Enterprise identified that the target web site is using Lodash and detected that it is out of date.

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

Lodash Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution in zipObjectDeep due to an incomplete fix for CVE-2020- 8203. https://snyk.io/vuln/SNYK-JS-LODASH-590103

Affected Versions

0.1.0

External References

Exploits
lodash Allocation of Resources Without Limits or Throttling Vulnerability

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Affected Versions

4.17.9

External References

CVE-2020-8203

Attachments

JEditor

Activity

People

Assignee:: Denys Butenko

Reporter:: Peter Werba

Watchers:: Bonnie Follweiler, Bug Clerk, Kris Moore, Peter Werba, William Grzybowski

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 25/Feb/21 1:49 PM

Updated:: 10/Mar/21 3:45 PM

Resolved:: 10/Mar/21 3:45 PM