Vulenribilty found in Web UI

Description

Current Netsparker scan shows Critial out of date version of Lodash in current version of TrueNAS

Netsparker Enterprise identified that the target web site is using Lodash and detected that it is out of date.

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

Lodash Prototype Pollution

Affected versions of this package are vulnerable to Prototype Pollution in zipObjectDeep due to an incomplete fix for CVE-2020- 8203. https://snyk.io/vuln/SNYK-JS-LODASH-590103

Affected Versions

0.1.0

External References

Exploits
lodash Allocation of Resources Without Limits or Throttling Vulnerability

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Affected Versions

4.17.9

External References

CVE-2020-8203

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Bug Clerk March 10, 2021 at 12:34 AM

21.04 PR: https://github.com/truenas/webui/pull/5225

Bug Clerk March 4, 2021 at 12:55 PM

12.0 PR: https://github.com/truenas/webui/pull/5194

Kris Moore March 1, 2021 at 10:36 PM

- No debug needed for this. However, with the way this is implemented on TrueNAS, its not really an exploitable security hole. We only use those libraries for reporting after you've logged into as root, which has full access to everything already. Its not accessible to lesser privileged users in any way. That said, it'll get updated here in the near future.

Peter Werba February 26, 2021 at 5:13 PM

Bonnie,

I am happy to include a debug however this is not so much a bug as a request to update the Lodash version. Should I re-submit this as a request it is a urgent security issue.

Bonnie Follweiler February 26, 2021 at 1:50 PM

Thank you for the report .

Can you please provide a debug (navigate to System -> Advanced, click save debug) and upload the files to the Attachments:Private area in this ticket?

Files uploaded into the private area in Attachments are only accessible by the developers.

Complete

Details
Assignee
Denys Butenko
Reporter
Peter Werba
Labels
Impact
Low
Components
Fix versions
SCALE-21.04-ALPHA.1
12.0-U3
Affects versions
12.0-U2.1
Priority
Low

More fields

Katalon Platform

Created February 25, 2021 at 6:49 PM

Updated July 1, 2022 at 5:13 PM

Resolved March 10, 2021 at 8:45 PM

Configure

Vulenribilty found in Web UI

Description

Problem/Justification

Impact

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Bug Clerk March 10, 2021 at 12:34 AM

Bug Clerk March 4, 2021 at 12:55 PM

Kris Moore March 1, 2021 at 10:36 PM

Peter Werba February 26, 2021 at 5:13 PM

Bonnie Follweiler February 26, 2021 at 1:50 PM

DetailsAssigneeDenys ButenkoDenys ButenkoReporterPeter WerbaPeter WerbaLabelsWebUIready_for_reviewsecurityImpactLowComponentsFix versionsSCALE-21.04-ALPHA.112.0-U3Affects versions12.0-U2.1PriorityLow

Details

Assignee

Reporter

Labels

Impact

Components

Fix versions

Affects versions

Priority

More fieldsTime tracking

More fields

Katalon PlatformLinked Test Cases, Katalon Defect Results, Katalon Studio Test Results

Katalon Platform

Details
Assignee
Denys Butenko
Reporter
Peter Werba
Labels
Impact
Low
Components
Fix versions
SCALE-21.04-ALPHA.1
12.0-U3
Affects versions
12.0-U2.1
Priority
Low

More fields

Katalon Platform