Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blackduck: Automated PR: Update lodash/4.17.4 to 4.17.21 #267

Open
wants to merge 1 commit into
base: SIGINT-2349
Choose a base branch
from

Conversation

github-actions[bot]
Copy link

Vulnerabilities associated with lodash/4.17.4

BDSA-2018-3818 (HIGH): Lodash is vulnerable to denial-of-service (DoS) as the user-controllable input to certain functions is not sufficiently checked, allowing an attacker to add or modify existing properties of presumably immutable Object data structure. An unauthenticated attacker can leverage this flaw to add arbitrary properties to objects used by the web application which can be leveraged to cause a crash or to prevent the server from responding to all requests.

This vulnerability may also lead to remote code execution (RCE) in some applications, depending on the implementation.

BDSA-2019-2112 (HIGH): Lodash contains a prototype pollution flaw. An attacker could exploit this to modify the component or cause remote code execution or a denial-of-service (DoS).

BDSA-2019-3842 (HIGH): Lodash contains a denial-of-service (DoS) vulnerability. This is due to multiple methods not validating the length of content supplied to it. If an application is passing untrusted-input to the Lodash library, it may be possible for an attacker to cause the process to crash, resulting in a DoS condition.

Please note that this issue is not considered by the vendor to be a vulnerability in Lodash, however it could be exploited if an application using Lodash accepts user input without validation and passes it to the affected functions. A pull request was opened to update the Lodash documentation regarding this issue but it was closed and not merged.

BDSA-2020-1674 (HIGH): Lodash is vulnerable to remote code execution (RCE) due to the potential to modify the properties of objects in memory. A remote attacker could run arbitrary commands on a vulnerable server, or cause the server to crash, by maliciously crafting an object via the zip functionality of Lodash.

Note: this issue was not properly addressed and required an additional fix and disclosure (BDSA-2020-3839).

BDSA-2020-3839 (HIGH): lodash is vulnerable to a prototype pollution flaw. A remote attacker may be able to supply specially crafted input to cause serious confidentiality, integrity and availability impacts to the application. In the past, such vulnerabilities have lead to remote code execution (RCE) in the end application.

BDSA-2021-0392 (HIGH): Lodash is vulnerable to command injection via the template function. An attacker can take advantage of this vulnerability in order to run arbitrary commands.

Click Here To See More Details On Server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants