Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Prototype Pollution in lodash.merge

Description

Versions of `lodash.merge` before 4.6.2 are vulnerable to prototype pollution. The function `merge` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

  1.  

    1. Recommendation

Update to version 4.6.2 or later.

Repository: OpenNMS/opennms-compass (https://github.com/OpenNMS/opennms-compass)
Dependabot: https://github.com/OpenNMS/opennms-compass/security/dependabot/23
CVE:
CVSS:
GHSA: GHSA-h726-x36v-rx45
Severity: high
Ecosystem: npm
Package Name: lodash.merge
Vulnerable Version Range: < 4.6.2
First Patched Version: 4.6.2

Activity

Show:

chiuen (Qun) July 28, 2023 at 4:00 PM

Infosec evaluated at the following risk:

CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:U/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS Score: 6.7 x likelihood low 0.5 = 3.4 low

Details

Assignee

Reporter

Labels

Priority

PagerDuty

Created July 24, 2023 at 1:34 PM
Updated July 28, 2023 at 4:00 PM
Loading...