CVE-2018-3721
published 2018-06-07CVE-2018-3721: lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
2.41%
82.1th percentile
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-lodash | < node-lodash 4.17.11+dfsg-1 (bookworm) | node-lodash 4.17.11+dfsg-1 (bookworm) |
| hackerone | lodash_node_module | — | — |
| lodash | lodash | < 4.17.5 | 4.17.5 |
| lodash | lodash | >= 0 < 4.17.5 | 4.17.5 |
| netapp | system_manager | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Prototype Pollution in lodash
osv·2018-07-26
CVE-2018-3721 [MEDIUM] Prototype Pollution in lodash
Prototype Pollution in lodash
Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.5 or later.
GHSA
Prototype Pollution in lodash
ghsa·2018-07-26
CVE-2018-3721 [MEDIUM] CWE-1321 Prototype Pollution in lodash
Prototype Pollution in lodash
Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.5 or later.
OSV
CVE-2018-3721: lodash node module before 4
osv·2018-06-07·CVSS 6.5
CVE-2018-3721 [MEDIUM] CVE-2018-3721: lodash node module before 4
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Red Hat
lodash: Prototype pollution in utilities function
vendor_redhat·2018-02-15·CVSS 6.5
CVE-2018-3721 [MEDIUM] CWE-20 lodash: Prototype pollution in utilities function
lodash: Prototype pollution in utilities function
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Statement: Red Hat CloudForms version 4.7 does not ship component lodash, so isn't affected by this flaw.
Red Hat Virtualization 4.2 EUS includes a vulnerable version of lodash as part of the ovirt-engine-dashboard package. This package has been removed from Red Hat Virtualization 4.3.
Package: lodash-rails (CloudForms Management Engine 5) - Will not fix
Package: nodejs-lodash (Red Hat Mobile Application Platfo
Debian
CVE-2018-3721: node-lodash - lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
vendor_debian·2018·CVSS 6.5
CVE-2018-3721 [MEDIUM] CVE-2018-3721: node-lodash - lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Scope: local
bookworm: resolved (fixed in 4.17.11+dfsg-1)
bullseye: resolved (fixed in 4.17.11+dfsg-1)
forky: resolved (fixed in 4.17.11+dfsg-1)
sid: resolved (fixed in 4.17.11+dfsg-1)
trixie: resolved (fixed in 4.17.11+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-3721 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]
bugzilla·2018-02-15·CVSS 6.5
CVE-2018-3721 [MEDIUM] CVE-2018-3721 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]
CVE-2018-3721 nodejs-lodash: lodash: Prototype pollution in utilities function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2018-3721 lodash: Prototype pollution in utilities function
bugzilla·2018-02-15·CVSS 6.5
CVE-2018-3721 [MEDIUM] CVE-2018-3721 lodash: Prototype pollution in utilities function
CVE-2018-3721 lodash: Prototype pollution in utilities function
Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property leading to potential denial of service.
Upstream patch:
https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
References:
https://snyk.io/vuln/npm:lodash:20180130
https://hackerone.com/reports/310443
Discussion:
Created lodash tracking bugs for this issue:
Affects: fedora-all [bug 1545887]
Created nodejs-lodash tracking bugs for this issue:
Affects: epel-all [bug 1545885]
---
Node of the libraries, or services using the lodash in R
Bugzilla
CVE-2018-3721 lodash: Prototype pollution in utilities function [fedora-all]
bugzilla·2018-02-15·CVSS 6.5
CVE-2018-3721 [MEDIUM] CVE-2018-3721 lodash: Prototype pollution in utilities function [fedora-all]
CVE-2018-3721 lodash: Prototype pollution in utilities function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4ahttps://hackerone.com/reports/310443https://security.netapp.com/advisory/ntap-20190919-0004/https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4ahttps://hackerone.com/reports/310443https://security.netapp.com/advisory/ntap-20190919-0004/
2018-06-07
Published