CVE-2019-10744

CWE-1321 — Prototype Pollution CWE-20 — Improper Input Validation10 documents8 sources

Severity

9.1CRITICAL

EPSS

3.3%

top 12.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager F5 Big-ip Analytics +17 more

Timeline

PublishedJul 26

Latest updateJan 15

Description

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages26 packages

▶npmlodash.defaultsdeep< 4.6.1

▶npmlodash< 4.17.12

▶npmlodash-es< 4.17.14

▶npmlodash-amd< 4.17.13

▶RubyGemslodash-rails< 4.17.12

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

CVE-2019-10744: Versions of lodash lower than 4↗2019-07-26

▶

CVEList

CVE-2019-10744: Versions of lodash lower than 4↗2019-07-25

▶

GHSA

Prototype Pollution in lodash↗2019-07-10

▶

OSV

Prototype Pollution in lodash↗2019-07-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Core (Lodash) — CVE-2019-10744↗2021-01-15

▶

Red Hat

nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties↗2019-08-09

▶

Debian

CVE-2019-10744: node-lodash - Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The...↗2019

▶

💬Community

Bugzilla

CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties↗2019-08-09

▶

Bugzilla

CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties [epel-all]↗2019-08-09

▶

External resources

NVD MITRE

Affected products20

F5 Big-ip Access Policy Manager≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Advanced Firewall Manager≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Analytics≥ 15.0.0, < 15.0.1.3≥ 15.1.0, < 15.1.0.2≥ 12.1.0, ≤ 12.1.5+2 more

F5 Big-ip Application Acceleration Manager≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Application Security Manager≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Application Visibility AND Reporting≥ 12.1.0, < 12.1.5.2≥ 14.1.0, < 14.1.2.5≥ 15.1.0, < 15.1.1+1 more

F5 Big-ip Domain Name System≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Edge Gateway≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Fraud Protection Service≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

F5 Big-ip Global Traffic Manager≥ 12.1.0, < 12.1.5.2≥ 13.1.0, < 13.1.3.4≥ 14.1.0, < 14.1.2.5+2 more

Disclosure

PublishedJul 26, 2019

Latest updateJan 15, 2021