Fix CVE–2019–10744

[debricked]

CVE–2019–10744

Vulnerable dependency:     lodash (npm)    4.17.5

Vulnerable dependency:     lodash.mergewith (npm)    4.6.1

Vulnerable dependency:     lodash.defaultsdeep (npm)    4.3.2

Vulnerability details

Description

GitHub

Prototype Pollution in lodash

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

NVD

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS details - 9.1

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	High
Availability	High

References

    Prototype Pollution in lodash · CVE-2019-10744 · GitHub Advisory Database · GitHub
    NVD - CVE-2019-10744
    CVE-2019-10744 Lodash Vulnerability in NetApp Products | NetApp Product Security
    Red Hat Customer Portal - Access to 24x7 support and knowledge
    CONFIRM
    Oracle Critical Patch Update Advisory - October 2020
    Oracle Critical Patch Update Advisory - January 2021
    fix: prototype pollution in _.defaultsDeep by Kirill89 · Pull Request #4336 · lodash/lodash · GitHub
    Prevent prototype pollution chaining to code execution via _.template by alexbrasetvik · Pull Request #4355 · lodash/lodash · GitHub
    Fix for prototype pollution by rachaelshaw · Pull Request #1 · sailshq/lodash · GitHub
    GitHub · Where software is built
    Prototype Pollution in lodash · CVE-2019-10744 · GitHub Advisory Database · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE