You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 24, 2025. It is now read-only.
Resolve CVE-2020-8203 and replace lodash per method packages with main lodash package.
CVE-2020-8203 - Prototype Pollution in lodash
Description
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Current Behavior
Jovo 4.6.2 includes lodash.set which fails CVE-2020-8203 and there is no patched lodash per method package that resolves it. The best approach is to remove all lodash per method packages and instead use the patched lodash library 4.17.19 or above. This prepares Jovo for lodash v5 which will no longer support per method packages. See https://lodash.com/per-method-packages
The most recent version of lodash.set is 4.3.2 published 8 years ago.
Most recent version of lodash is 4.17.21 published 4 years ago.
I'm submitting a...
Expected Behavior
Resolve CVE-2020-8203 and replace lodash per method packages with main lodash package.
CVE-2020-8203 - Prototype Pollution in lodash
Description
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Current Behavior
Jovo 4.6.2 includes lodash.set which fails CVE-2020-8203 and there is no patched lodash per method package that resolves it. The best approach is to remove all lodash per method packages and instead use the patched lodash library 4.17.19 or above. This prepares Jovo for lodash v5 which will no longer support per method packages. See https://lodash.com/per-method-packages
The most recent version of lodash.set is 4.3.2 published 8 years ago.
Most recent version of lodash is 4.17.21 published 4 years ago.
Error Log
None
Your Environment