material-ui-0.20.2.tgz: 1 vulnerabilities (highest severity is: 7.5)

[mend-local-app]

Vulnerable Library - material-ui-0.20.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash.merge/package.json

Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (material-ui version)	Remediation Possible**	Reachability
WS-2019-0185	High	7.5	lodash.merge-4.6.1.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2019-0185

Vulnerable Library - lodash.merge-4.6.1.tgz

The Lodash method `_.merge` exported as a module.

Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash.merge/package.json

Dependency Hierarchy:

• material-ui-0.20.2.tgz (Root Library)
  • ❌ lodash.merge-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108

Found in base branch: master

Vulnerability Details

lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0185

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1066

Release Date: 2019-08-14

Fix Resolution: 4.6.2