detain/ConSolo

CVE-2019-10744 (High) detected in lodash-4.17.12-pre.js, lodash-4.17.12-pre.min.js - autoclosed

mend-bolt-for-github opened this issue · 1 comments

mend-bolt-for-github commented

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.12-pre.js, lodash-4.17.12-pre.min.js

lodash-4.17.12-pre.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.js

Path to dependency file: /public/vuetify-list-collapse/dist/index.html

Path to vulnerable library: /public/vuetify-list-collapse/dist/index.html

Dependency Hierarchy:

  • lodash-4.17.12-pre.js (Vulnerable Library)
lodash-4.17.12-pre.min.js

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.12-pre/lodash.min.js

Path to dependency file: /public/tree-menu-vue-component-vuetify-treeview/src/index.html

Path to vulnerable library: /public/tree-menu-vue-component-vuetify-treeview/src/index.html

Dependency Hierarchy:

  • lodash-4.17.12-pre.min.js (Vulnerable Library)

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github commented

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.