Описание
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.12 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10744
- https://github.com/lodash/lodash/pull/4336
- https://access.redhat.com/errata/RHSA-2019:3024
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml
- https://security.netapp.com/advisory/ntap-20191004-0005
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
Пакеты
lodash
< 4.17.12
4.17.12
lodash-es
< 4.17.14
4.17.14
lodash-amd
< 4.17.13
4.17.13
lodash.defaultsdeep
< 4.6.1
4.6.1
lodash-rails
< 4.17.12
4.17.12
Связанные уязвимости
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Poll ...
Уязвимость функции defaultsDeep библиотеки Lodash, позволяющая нарушителю вызвать отказ в обслуживании, выполнить произвольный JavaScript-код или повысить свои привилегии