GHSA-jf85-cpcp-j695 (CVE-2019-10744)

Details

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Affected Packages

lodash-rails

RubyGems

Fixed in:

4.17.12

lodash

npm

Fixed in:

4.17.12

lodash-amd

npm

Fixed in:

4.17.13

lodash-es

npm

Fixed in:

4.17.14

lodash.defaultsdeep

npm

Fixed in:

4.6.1

References

WEBhttps://access.redhat.com/errata/RHSA-2019:3024 ADVISORYhttps://github.com/advisories/GHSA-jf85-cpcp-j695 WEBhttps://github.com/lodash/lodash/pull/4336 WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10744 WEBhttps://security.netapp.com/advisory/ntap-20191004-0005 WEBhttps://snyk.io/vuln/SNYK-JS-LODASH-450202 WEBhttps://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS WEBhttps://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS WEBhttps://www.oracle.com/security-alerts/cpujan2021.html WEBhttps://www.oracle.com/security-alerts/cpuoct2020.html

GHSA-jf85-cpcp-j695

Details

Recommendation

Affected Packages

References

Aliases

CVSS Analysis

Related

Ecosystems

Timeline