CVE-2019-10744 (High) detected in lodash-4.17.11.tgz #22

mend-for-github-com · 2019-11-20T16:20:20Z

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /tmp/ws-scm/grafana-logzio-datasource/package.json

Path to vulnerable library: /grafana-logzio-datasource/node_modules/lodash/package.json

Dependency Hierarchy:

❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: a43733d82f4738e811c47f644a432e4b03ac92eb

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

The text was updated successfully, but these errors were encountered:

mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Nov 20, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz #22

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz #22

mend-for-github-com bot commented Nov 20, 2019

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz #22

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz #22

Comments

mend-for-github-com bot commented Nov 20, 2019

CVE-2019-10744 - High Severity Vulnerability