Prototype Pollution in lodash #514
Labels
Auto Create Issues
Label for Auto Created Issues
do-not-autoclose
Make bot can't close an Issues or PRs
High
This label for Security Severity only
Security
Label for Security Issues
Milestone
Description
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions
pick
,set
,setWith
,update
,updateWith
, andzipObjectDeep
allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Severity Check
Severity Number
7.4 / 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Weaknesses
CWE-770 CWE-1321
CVE ID
CVE-2020-8203
GHSA ID
GHSA-p6mc-m468-83gw
Source code
lodash/lodash
Information
lodash (npm)
Affected versions
>= 3.7.0, < 4.17.19
Patched versions
4.17.19
lodash-es (npm)
Affected versions
>= 3.7.0, < 4.17.20
Patched versions
4.17.20
lodash.pick (npm)
Affected versions
>= 4.0.0, <= 4.4.0
Patched versions
None
lodash.set (npm)
Affected versions
>= 3.7.0, <= 4.3.2
Patched versions
None
lodash.setwith (npm)
Affected versions
<= 4.3.2
Patched versions
None
lodash.update (npm)
Affected versions
<= 4.10.2
Patched versions
None
lodash.updatewith (npm)
Affected versions
<= 4.10.2
Patched versions
None
References
The text was updated successfully, but these errors were encountered: