jamland / mono-switch Goto Github PK

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/lodash/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • css-hot-loader-1.4.4.tgz
    • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/dot-prop/package.json

Dependency Hierarchy:

• electron-builder-20.38.4.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - electron-4.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-4.0.1.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/electron/package.json

Dependency Hierarchy:

• ❌ electron-4.0.1.tgz (Vulnerable Library)

Vulnerability Details

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Publish Date: 2020-07-07

URL: CVE-2020-15096

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vrv-94jv-crrg

Release Date: 2020-07-07

Fix Resolution: electron - 6.1.11,8.2.4,9.0.0-beta.21

Vulnerable Library - serialize-javascript-1.7.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • terser-webpack-plugin-1.3.0.tgz
    • ❌ serialize-javascript-1.7.0.tgz (Vulnerable Library)

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Library - electron-4.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-4.0.1.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/electron/package.json

Dependency Hierarchy:

• ❌ electron-4.0.1.tgz (Vulnerable Library)

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4076

CVSS 3 Score Details (9.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m93v-9qjc-3g79

Release Date: 2020-07-07

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - electron-4.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-4.0.1.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/electron/package.json

Dependency Hierarchy:

• ❌ electron-4.0.1.tgz (Vulnerable Library)

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4077

CVSS 3 Score Details (9.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h9jc-284h-533g

Release Date: 2020-07-07

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/postcss-svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • html-loader-1.0.0-alpha.0.tgz
    • htmlnano-0.1.10.tgz
      • cssnano-3.10.0.tgz
        • postcss-svgo-2.1.6.tgz
          • svgo-0.7.2.tgz
            • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

Vulnerable Library - electron-4.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-4.0.1.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/electron/package.json

Dependency Hierarchy:

• ❌ electron-4.0.1.tgz (Vulnerable Library)

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4075

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9mq-jph6-9mhm

Release Date: 2020-07-07

Fix Resolution: 7.2.4,8.2.4,9.0.0-beta.21

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/postcss-svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • html-loader-1.0.0-alpha.0.tgz
    • htmlnano-0.1.10.tgz
      • cssnano-3.10.0.tgz
        • postcss-svgo-2.1.6.tgz
          • svgo-0.7.2.tgz
            • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

Vulnerable Library - node-forge-0.7.5.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.5.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/node-forge/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • webpack-dev-server-3.7.2.tgz
    • selfsigned-1.10.4.tgz
      • ❌ node-forge-0.7.5.tgz (Vulnerable Library)

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-13

Fix Resolution: node-forge - 0.10.0

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/sockjs/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • webpack-dev-server-3.7.2.tgz
    • ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: sockjs/sockjs-node#265

Release Date: 2020-07-09

Fix Resolution: sockjs - 0.3.20

Vulnerable Library - is-svg-2.1.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-2.1.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/is-svg/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • html-loader-1.0.0-alpha.0.tgz
    • htmlnano-0.1.10.tgz
      • cssnano-3.10.0.tgz
        • postcss-svgo-2.1.6.tgz
          • ❌ is-svg-2.1.0.tgz (Vulnerable Library)

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/lodash/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • css-hot-loader-1.4.4.tgz
    • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

Vulnerable Library - http-proxy-1.17.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.17.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/http-proxy/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • webpack-dev-server-3.7.2.tgz
    • http-proxy-middleware-0.19.1.tgz
      • ❌ http-proxy-1.17.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

Vulnerable Library - serialize-javascript-1.7.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.7.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • terser-webpack-plugin-1.3.0.tgz
    • ❌ serialize-javascript-1.7.0.tgz (Vulnerable Library)

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2019-12-05

Fix Resolution: v2.1.1

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/lodash/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • css-hot-loader-1.4.4.tgz
    • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@02906b8

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/lodash/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • css-hot-loader-1.4.4.tgz
    • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0