Prototype Pollution in lodash.merge

Description

Versions of `lodash.merge` before 4.6.2 are vulnerable to prototype pollution. The function `merge` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

1. Recommendation

Update to version 4.6.2 or later.

Repository: OpenNMS/opennms-compass (https://github.com/OpenNMS/opennms-compass)
Dependabot: https://github.com/OpenNMS/opennms-compass/security/dependabot/23
CVE:
CVSS:
GHSA: GHSA-h726-x36v-rx45
Severity: high
Ecosystem: npm
Package Name: lodash.merge
Vulnerable Version Range: < 4.6.2
First Patched Version: 4.6.2

Activity

Show:

chiuen (Qun) July 28, 2023 at 4:00 PM

Infosec evaluated at the following risk:

CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:U/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS Score: 6.7 x likelihood low 0.5 = 3.4 low

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity-low
Priority
Low

PagerDuty

Created July 24, 2023 at 1:34 PM

Updated July 28, 2023 at 4:00 PM

Configure

Prototype Pollution in lodash.merge

Description

Activity

chiuen (Qun) July 28, 2023 at 4:00 PM

DetailsAssigneeUnassignedUnassignedReporteronms security jiraonms security jiraLabelsdependabotsecurity-lowPriorityLow

Details

Assignee

Reporter

Labels

Priority

PagerDutyPagerDuty Incident

PagerDuty

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity-low
Priority
Low

PagerDuty