Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8411-1 advisory.

    It was discovered that Lodash was vulnerable to a prototype pollution issue in the zipObjectDeep function.
    An attacker could possibly use this issue to modify application behavior. This issue only affected Ubuntu     18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)

    Liyuan Chen discovered that Lodash was vulnerable to a regular expression denial of service issue in the     toNumber, trim, and trimEnd functions. An attacker could possibly use this issue to consume excessive     system resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu     20.04 LTS. (CVE-2020-28500)

    Marc Hassan discovered that Lodash did not properly sanitize input to the template function. An attacker     could possibly use this issue to inject and execute arbitrary commands. This issue only affected Ubuntu     16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-23337)

    It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit     functions. An attacker could possibly use this issue to delete properties from global prototypes,     resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04     LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-13465)

    It was discovered that Lodash was vulnerable to a prototype pollution issue in the unset and omit     functions. An attacker could possibly use this issue to delete properties from built-in prototypes,     resulting in security restrictions being bypassed. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04     LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-2950)

    It was discovered that Lodash did not properly validate certain inputs to the template function. An     attacker could possibly use this issue to inject malicious code during template processing, resulting in     arbitrary code execution. (CVE-2026-4800)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16479 advisory.

  - Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. (CVE-2020-8203)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. (CVE-2020-8203)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, Lodash is prior to 4.17.20. It is, therefore, affected by a prototype pollution vulnerability in zipObjectDeep.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The 17.12.11, 18.8.11, 19.12.10, and 20.12.0 versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Nimbus JOSE+JWT)). Supported versions that are affected are 18.8.0-18.8.11. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera     Gateway. Successful attacks of this vulnerability can result in takeover of Primavera Gateway.
    (CVE-2019-17195)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Lodash)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10 and     20.12.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data and     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.
    (CVE-2020-8203)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Netty)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11 and 19.12.0-19.12.10.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data.
    (CVE-2021-21409)     
  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:
    jackson-databind). (CVE-2020-36189)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5611 advisory.

    The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include     redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH)     are installed using a special build of Red Hat Enterprise Linux with only the packages required to host     virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and     performing administrative tasks.

    The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-     virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed     using a special build of Red Hat Enterprise Linux with only the packages required to host virtual     machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing     administrative tasks.

    The following packages have been upgraded to a later upstream version: cockpit-ovirt (0.14.15), redhat-     release-virtualization-host (4.4.3), redhat-virtualization-host (4.4.3), v2v-conversion-host (1.16.2).
    (BZ#1898023, BZ#1902301, BZ#1907539)

    Security Fix(es):

    * lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c (CVE-2015-8011)

    * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Previously, upgrade from Red Had Virtualization (RHV) 4.4.1 to RHV 4.4.2 failed due to dangling symlinks     from the iSCSI Storage Domain that weren't cleaned up. In this release, the upgrade succeeds. (BZ#1895356)

    * Previously, when migrating a Windows virtual machine from a VMware environment to Red Hat Virtualization     4.4.3, the migration failed due to a file permission error. In this release, the migration succeeds.
    (BZ#1901423)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5179 advisory.

    The org.ovirt.engine-root is a core component of oVirt.

    The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2),     org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2),     ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions     (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-     branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)

    Security Fix(es):

    * nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript     execution (CVE-2019-20920)

    * nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS     (CVE-2019-20922)

    * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)

    * Block moving HE hosts into different Data Centers and make HE host moved to different cluster     NonOperational after activation (BZ#1702016)

    * If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next     free MAC. (BZ#1760170)

    * Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)

    * [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)

    * enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)

    * NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)

    * Adding quota to group doesn't propagate to users (BZ#1822372)

    * Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)

    * Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)

    * RHV-M shows successful operation if OVA export/import failed during qemu-img convert phase     (BZ#1854888)

    * Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a     disk with that address (BZ#1855305)

    * rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)

    * RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)

    * Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)

    * HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)

    * [CNV&RHV]Notification about VM creation contain <UNKNOWN> string (BZ#1873136)

    * VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after     restart (BZ#1877632)

    * Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation     (BZ#1879280)

    * unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)

    * [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)

    * Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)

    * [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)

    * Require ansible-2.9.14 in ovirt-engine (BZ#1888626)

    Enhancement(s):

    * [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)

    * [RFE] - enable renaming HostedEngine VM name (BZ#1657294)

    * [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)

    * [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)

    * [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)

    * [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)

    * [RFE] Expose the reinstallation required flag of the hosts in the API (BZ#1856671)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3807 advisory.

    The org.ovirt.engine-root is a core component of oVirt.

    The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5),     org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1),     ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv     (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)

    A list of bugs fixed in this update is available in the Technical Notes     book:

    https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

    Security Fix(es):

    * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

    * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

    * jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code     execution (CVE-2020-11023)

    * ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)

    * VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)

    * RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)

    * On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)

    * Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)

    * Scheduling Memory calculation disregards huge-pages (BZ#1804037)

    * Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)

    * In Admin Portal, Huge Pages (size: amount) needs to be clarified (BZ#1806339)

    * Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)

    * Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin     portal (BZ#1843234)

    * [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)

    * [CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377)

    * Cannot create KubeVirt VM as a normal user (BZ#1859460)

    * Welcome page - remove Metrics Store links and update Insights Guide link (BZ#1866466)

    * [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)

    * VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB     bus is disabled. (BZ#1871235)

    * spec_ctrl host feature not detected (BZ#1875609)

    Enhancement(s):

    * [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)

    * [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)

    * [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots     (BZ#1763812)

    * [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3369 advisory.

    Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for     installation into an on-premise OpenShift Container Platform installation.

    Security Fix(es):

    * golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)

    * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

    * jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code     execution (CVE-2020-11023)

    * macaron: open redirect in the static handler (CVE-2020-12666)

    * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash     (CVE-2020-14040)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
320407	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Lodash vulnerabilities (USN-8411-1)	Nessus	Ubuntu Local Security Checks	high
297644	Atlassian Jira Service Management Data Center and Server 10.3.x < 10.3.12 / 11.0.x < 11.1.0 (JSDSERVER-16479)	Nessus	Misc.	high
250940	Linux Distros Unpatched Vulnerability : CVE-2020-8203	Nessus	Misc.	high
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
113007	Lodash < 4.17.20 Prototype Pollution	Web App Scanning	Component Vulnerability	high
151974	Oracle Primavera Gateway (Jul 2021 CPU)	Nessus	CGI abuses	critical
144405	RHEL 8 : Red Hat Virtualization (RHSA-2020:5611)	Nessus	Red Hat Local Security Checks	critical
143235	RHEL 8 : Red Hat Virtualization (RHSA-2020:5179)	Nessus	Red Hat Local Security Checks	high
140750	RHEL 8 : Red Hat Virtualization (RHSA-2020:3807)	Nessus	Red Hat Local Security Checks	high
139385	RHEL 7 / 8 : Red Hat OpenShift Service Mesh (RHSA-2020:3369)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2020-8203

high

Tenable Plugins

high

high

high

critical

high

critical

critical

high

high

high