Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA2bWMtbTQ2OC04M2d3
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Permalink: https://github.com/advisories/GHSA-p6mc-m468-83gwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA2bWMtbTQ2OC04M2d3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Percentage: 0.01012
EPSS Percentile: 0.83539
Identifiers: GHSA-p6mc-m468-83gw, CVE-2020-8203
References:
- https://github.com/lodash/lodash/issues/4744
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://nvd.nist.gov/vuln/detail/CVE-2020-8203
- https://hackerone.com/reports/712065
- https://github.com/lodash/lodash/issues/4874
- https://github.com/github/advisory-database/pull/2884
- https://hackerone.com/reports/864701
- https://github.com/lodash/lodash/wiki/Changelog#v41719
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://security.netapp.com/advisory/ntap-20200724-0006/
- https://github.com/advisories/GHSA-p6mc-m468-83gw
Blast Radius: 46.5
Affected Packages
npm:lodash.updatewith
Dependent packages: 3Dependent repositories: 2
Downloads: 419 last month
Affected Version Ranges: <= 4.10.2
No known fixed version
All affected versions: 4.6.0, 4.6.1, 4.7.0, 4.9.0, 4.10.0, 4.10.1, 4.10.2
npm:lodash.update
Dependent packages: 21Dependent repositories: 144
Downloads: 13,141 last month
Affected Version Ranges: <= 4.10.2
No known fixed version
All affected versions: 4.6.0, 4.6.1, 4.7.0, 4.9.0, 4.10.0, 4.10.1, 4.10.2
npm:lodash.setwith
Dependent packages: 49Dependent repositories: 126
Downloads: 134,944 last month
Affected Version Ranges: <= 4.3.2
No known fixed version
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2
npm:lodash.set
Dependent packages: 1,948Dependent repositories: 154,030
Downloads: 7,292,479 last month
Affected Version Ranges: >= 3.7.0, <= 4.3.2
No known fixed version
All affected versions: 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2
npm:lodash.pick
Dependent packages: 1,730Dependent repositories: 255,591
Downloads: 8,099,860 last month
Affected Version Ranges: >= 4.0.0, <= 4.4.0
No known fixed version
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 4.4.0
npm:lodash-es
Dependent packages: 10,953Dependent repositories: 469,349
Downloads: 44,015,800 last month
Affected Version Ranges: >= 3.7.0, < 4.17.20
Fixed in: 4.17.20
All affected versions: 3.7.0, 3.8.0, 3.9.0, 3.9.2, 3.9.3, 3.10.0, 3.10.1, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.8.2, 4.9.0, 4.10.0, 4.11.0, 4.11.1, 4.11.2, 4.12.0, 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.14.2, 4.15.0, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.16.5, 4.16.6, 4.17.0, 4.17.1, 4.17.2, 4.17.3, 4.17.4, 4.17.5, 4.17.6, 4.17.7, 4.17.8, 4.17.9, 4.17.10, 4.17.11, 4.17.12, 4.17.13, 4.17.14, 4.17.15
All unaffected versions: 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 4.17.20, 4.17.21
npm:lodash
Dependent packages: 159,122Dependent repositories: 1,936,033
Downloads: 211,460,287 last month
Affected Version Ranges: >= 3.7.0, < 4.17.19
Fixed in: 4.17.19
All affected versions: 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.10.0, 3.10.1, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.10.0, 4.11.0, 4.11.1, 4.11.2, 4.12.0, 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.14.2, 4.15.0, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.16.5, 4.16.6, 4.17.0, 4.17.1, 4.17.2, 4.17.3, 4.17.4, 4.17.5, 4.17.9, 4.17.10, 4.17.11, 4.17.12, 4.17.13, 4.17.14, 4.17.15, 4.17.16, 4.17.17, 4.17.18
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 4.17.19, 4.17.20, 4.17.21