You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Resolve CVE-2020-8203 and replace lodash per method packages with main lodash package.
CVE-2020-8203 - Prototype Pollution in lodash
Description
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Current Behavior
Jovo 4.6.2 includes lodash.set which fails CVE-2020-8203 and there is no patched lodash per method package that resolves it. The best approach is to remove all lodash per method packages and instead use the patched lodash library 4.17.19 or above. This prepares Jovo for lodash v5 which will no longer support per method packages. See https://lodash.com/per-method-packages
The most recent version of lodash.set is 4.3.2 published 8 years ago.
Most recent version of lodash is 4.17.21 published 4 years ago.
Error Log
None
Your Environment
Jovo Framework version used: 4.6.2
Operating System: Windows 11 Pro
The text was updated successfully, but these errors were encountered:
I'm submitting a...
Expected Behavior
Resolve CVE-2020-8203 and replace lodash per method packages with main lodash package.
CVE-2020-8203 - Prototype Pollution in lodash
Description
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Current Behavior
Jovo 4.6.2 includes lodash.set which fails CVE-2020-8203 and there is no patched lodash per method package that resolves it. The best approach is to remove all lodash per method packages and instead use the patched lodash library 4.17.19 or above. This prepares Jovo for lodash v5 which will no longer support per method packages. See https://lodash.com/per-method-packages
The most recent version of lodash.set is 4.3.2 published 8 years ago.
Most recent version of lodash is 4.17.21 published 4 years ago.
Error Log
None
Your Environment
The text was updated successfully, but these errors were encountered: