Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA2bWMtbTQ2OC04M2d3
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Permalink: https://github.com/advisories/GHSA-p6mc-m468-83gwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA2bWMtbTQ2OC04M2d3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: 3 months ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-p6mc-m468-83gw, CVE-2020-8203
References:
- https://github.com/lodash/lodash/issues/4744
- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12
- https://nvd.nist.gov/vuln/detail/CVE-2020-8203
- https://hackerone.com/reports/712065
- https://github.com/lodash/lodash/issues/4874
- https://github.com/github/advisory-database/pull/2884
- https://hackerone.com/reports/864701
- https://github.com/lodash/lodash/wiki/Changelog#v41719
- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744
- https://security.netapp.com/advisory/ntap-20200724-0006/
- https://github.com/advisories/GHSA-p6mc-m468-83gw
Blast Radius: 46.5
Affected Packages
npm:lodash.updatewith
Dependent packages: 3Dependent repositories: 2
Downloads: 465 last month
Affected Version Ranges: <= 4.10.2
No known fixed version
All affected versions: 4.6.0, 4.6.1, 4.7.0, 4.9.0, 4.10.0, 4.10.1, 4.10.2
npm:lodash.update
Dependent packages: 21Dependent repositories: 144
Downloads: 25,441 last month
Affected Version Ranges: <= 4.10.2
No known fixed version
All affected versions: 4.6.0, 4.6.1, 4.7.0, 4.9.0, 4.10.0, 4.10.1, 4.10.2
npm:lodash.setwith
Dependent packages: 49Dependent repositories: 126
Downloads: 243,374 last month
Affected Version Ranges: <= 4.3.2
No known fixed version
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2
npm:lodash.set
Dependent packages: 1,948Dependent repositories: 154,030
Downloads: 8,450,301 last month
Affected Version Ranges: >= 3.7.0, <= 4.3.2
No known fixed version
All affected versions: 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2
npm:lodash.pick
Dependent packages: 1,730Dependent repositories: 255,591
Downloads: 12,942,662 last month
Affected Version Ranges: >= 4.0.0, <= 4.4.0
No known fixed version
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 4.4.0
npm:lodash-es
Dependent packages: 10,953Dependent repositories: 469,349
Downloads: 40,600,717 last month
Affected Version Ranges: >= 3.7.0, < 4.17.20
Fixed in: 4.17.20
All affected versions: 3.7.0, 3.8.0, 3.9.0, 3.9.2, 3.9.3, 3.10.0, 3.10.1, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.8.2, 4.9.0, 4.10.0, 4.11.0, 4.11.1, 4.11.2, 4.12.0, 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.14.2, 4.15.0, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.16.5, 4.16.6, 4.17.0, 4.17.1, 4.17.2, 4.17.3, 4.17.4, 4.17.5, 4.17.6, 4.17.7, 4.17.8, 4.17.9, 4.17.10, 4.17.11, 4.17.12, 4.17.13, 4.17.14, 4.17.15
All unaffected versions: 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 4.17.20, 4.17.21
npm:lodash
Dependent packages: 159,122Dependent repositories: 1,936,033
Downloads: 197,876,833 last month
Affected Version Ranges: >= 3.7.0, < 4.17.19
Fixed in: 4.17.19
All affected versions: 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.10.0, 3.10.1, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.10.0, 4.11.0, 4.11.1, 4.11.2, 4.12.0, 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.14.2, 4.15.0, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.16.5, 4.16.6, 4.17.0, 4.17.1, 4.17.2, 4.17.3, 4.17.4, 4.17.5, 4.17.9, 4.17.10, 4.17.11, 4.17.12, 4.17.13, 4.17.14, 4.17.15, 4.17.16, 4.17.17, 4.17.18
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 4.17.19, 4.17.20, 4.17.21