Prototype Pollution in lodash

Description

Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

1. Recommendation

Update to version 4.17.12 or later.

Repository: OpenNMS/opennms-compass (https://github.com/OpenNMS/opennms-compass)
Dependabot: https://github.com/OpenNMS/opennms-compass/security/dependabot/2
CVE: CVE-2019-10744
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
GHSA: GHSA-jf85-cpcp-j695
Severity: critical
Ecosystem: npm
Package Name: lodash.merge
Vulnerable Version Range: < 4.6.2
First Patched Version: 4.6.2

Activity

Show:

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity
Priority
Trivial

PagerDuty

Created July 21, 2023 at 10:45 PM

Updated July 21, 2023 at 10:45 PM

Configure

Prototype Pollution in lodash

Description

Activity

DetailsAssigneeUnassignedUnassignedReporteronms security jiraonms security jiraLabelsdependabotsecurityPriorityTrivial

Details

Assignee

Reporter

Labels

Priority

PagerDutyPagerDuty Incident

PagerDuty

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity
Priority
Trivial

PagerDuty