scriptex/rollup-mpa

CVE-2020-8203 (High) detected in lodash-4.17.19.tgz

Closed this issue · 0 comments

mend-bolt-for-github commented

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /tmp/ws-scm/rollup-mpa/package.json

Path to vulnerable library: /tmp/ws-scm/rollup-mpa/node_modules/lodash/package.json

Dependency Hierarchy:

  • core-7.10.5.tgz (Root Library)
    • lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: 2101715213c75bb0eb8c78bb7252f495435c65c5

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here