swagger-codegen icon indicating copy to clipboard operation
swagger-codegen copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz, lodash-4.17.10.tgz

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.11.tgz, lodash-4.17.10.tgz

lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /samples/client/petstore/javascript-es6/package.json

Path to vulnerable library: /samples/client/petstore/javascript-es6/node_modules/lodash/package.json,/samples/client/petstore/javascript-promise-es6/node_modules/lodash/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • :x: lodash-4.17.11.tgz (Vulnerable Library)
lodash-4.17.10.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Path to dependency file: /samples/client/petstore/typescript-node/npm/package.json

Path to vulnerable library: /samples/client/petstore/typescript-node/npm/node_modules/lodash/package.json

Dependency Hierarchy:

  • rewire-3.0.2.tgz (Root Library)
    • babel-plugin-transform-es2015-block-scoping-6.26.0.tgz
      • :x: lodash-4.17.10.tgz (Vulnerable Library)

Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (rewire): 4.0.0

  • [ ] Check this box to open an automated fix PR

mend-for-github-com[bot] avatar Dec 29 '21 22:12 mend-for-github-com[bot]