Описание
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-lodash | fixed | 4.17.15+dfsg-1 | package | |
| node-lodash | fixed | 4.17.11+dfsg-2+deb10u1 | buster | package |
| node-lodash | end-of-life | stretch | package | |
| node-lodash | end-of-life | jessie | package |
Примечания
https://snyk.io/vuln/SNYK-JS-LODASH-450202
https://github.com/lodash/lodash/issues/4348
https://github.com/lodash/lodash/pull/4336
Связанные уязвимости
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Уязвимость функции defaultsDeep библиотеки Lodash, позволяющая нарушителю вызвать отказ в обслуживании, выполнить произвольный JavaScript-код или повысить свои привилегии