CVE-2018-16487 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.4.tgz, lodash-1.0.2.tgz, lodash-3.10.1.tgz

lodash-4.17.4.tgz

Lodash modular utilities.

path: null

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Dependency Hierarchy:

• gulp-sass-3.1.0.tgz (Root Library)
  • node-sass-4.7.2.tgz
    • gaze-1.1.2.tgz
      • globule-1.2.0.tgz
        • ❌ lodash-4.17.4.tgz (Vulnerable Library)

lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: null

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

path: null

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

• browser-sync-2.23.6.tgz (Root Library)
  • easy-extender-2.3.2.tgz
    • ❌ lodash-3.10.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

---

Step up your Open Source Security Game with WhiteSource here