fix(deps): update dependency lodash to v4.17.21 [security] #18

secustor · 2023-09-20T13:42:22Z

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
lodash (source)	dependencies	minor	`4.10.0` -> `4.17.21`

Prototype Pollution in lodash

CVE-2018-3721 / GHSA-fvqr-27wr-82fm

More information

Details

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Prototype Pollution in lodash

CVE-2018-16487 / GHSA-4xc9-xhrj-v574

More information

Details

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Severity

High

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Regular Expression Denial of Service (ReDoS) in lodash

CVE-2019-1010266 / GHSA-x5rq-j2xg-h7qm

More information

Details

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Prototype Pollution in lodash

CVE-2019-10744 / GHSA-jf85-cpcp-j695

More information

Details

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Severity

CVSS Score: 9.1 / 10 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Prototype Pollution in lodash

CVE-2020-8203 / GHSA-p6mc-m468-83gw

More information

Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Severity

CVSS Score: 7.4 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Regular Expression Denial of Service (ReDoS) in lodash

CVE-2020-28500 / GHSA-29mw-wpgm-hmr9

More information

Details

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Steps to reproduce (provided by reporter Liyuan Chen):

var lo = require('lodash');

function build_blank(n) {
    var ret = "1"
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s) 
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Command Injection in lodash

CVE-2021-23337 / GHSA-35jh-r3h4-6jhm

More information

Details

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Severity

CVSS Score: 7.2 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

lodash/lodash (lodash)

fix(deps): update dependency lodash to v4.17.21 [security] #18

Are you sure you want to change the base?

fix(deps): update dependency lodash to v4.17.21 [security] #18

Conversation

secustor commented Sep 20, 2023 • edited Loading

Prototype Pollution in lodash

Details

Recommendation

Severity

References

Prototype Pollution in lodash

Details

Recommendation

Severity

References

Regular Expression Denial of Service (ReDoS) in lodash

Details

Severity

References

Prototype Pollution in lodash

Details

Recommendation

Severity

References

Prototype Pollution in lodash

Details

Severity

References

Regular Expression Denial of Service (ReDoS) in lodash

Details

Severity

References

Command Injection in lodash

Details

Severity

References

Release Notes

Configuration

secustor commented Sep 20, 2023 •

edited

Loading