Fluid Attacks Database

Description

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	lodash-rails	>=0 <4.17.12	4.17.12
npm	lodash-amd	>=0 <4.17.13	4.17.13
npm	lodash	>=0 <4.17.12	4.17.12
npm	lodash-es	>=0 <4.17.14	4.17.14
npm	lodash.defaultsdeep	>=0 <4.6.1	4.6.1
npm	lodash.mergewith	>=0 <4.6.2	4.6.2
debian 11	node-lodash	>=0 <4.17.15+dfsg-1	4.17.15+dfsg-1
debian 13	node-lodash	>=0 <4.17.15+dfsg-1	4.17.15+dfsg-1
debian 14	node-lodash	>=0 <4.17.15+dfsg-1	4.17.15+dfsg-1
debian 12	node-lodash	>=0 <4.17.15+dfsg-1	4.17.15+dfsg-1

1-10 of 12

Aliases

1. CVE-2019-107442. NVD-2019-107443. OSV-2019-107444. OSV-DEBIAN-2019-107445. GHSA-jf85-cpcp-j6956. GCVE-2019-107447. access.redhat.com8. SECURITY-TRACKER-CVE-2019-10744

References

1. https://github.com/lodash/lodash/pull/43362. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml3. https://security.netapp.com/advisory/ntap-20191004-00054. https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS5. https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS6. https://www.oracle.com/security-alerts/cpujan2021.html7. https://www.oracle.com/security-alerts/cpuoct2020.html8. https://github.com/mlbrilliance/aurora-demo-lockfile9. https://www.npmjs.com/advisories/106510. https://security.netapp.com/advisory/ntap-20191004-0005/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.