GHSA-p6mc-m468-83gw

Source

https://github.com/advisories/GHSA-p6mc-m468-83gw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p6mc-m468-83gw

Aliases

CVE-2020-8203

Published

2020-07-15T19:15:48Z

Modified

2023-11-08T04:04:15.600214Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

Prototype Pollution in lodash

Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

References

Affected packages

npm / lodash

Package

Name: lodash; View open source insights on deps.dev
Purl: pkg:npm/lodash

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Fixed

4.17.19

Ecosystem specific

{
    "affected_functions": [
        "(lodash).pick",
        "(lodash).set",
        "(lodash).setWith",
        "(lodash).update",
        "(lodash).updateWith",
        "(lodash).zipObjectDeep"
    ]
}

npm / lodash-es

Package

Name: lodash-es; View open source insights on deps.dev
Purl: pkg:npm/lodash-es

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Fixed

4.17.20

Ecosystem specific

{
    "affected_functions": [
        "(lodash).pick",
        "(lodash).set",
        "(lodash).setWith",
        "(lodash).update",
        "(lodash).updateWith",
        "(lodash).zipObjectDeep"
    ]
}

npm / lodash.pick

Package

Name: lodash.pick; View open source insights on deps.dev
Purl: pkg:npm/lodash.pick

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Last affected

4.4.0

Ecosystem specific

{
    "affected_functions": [
        "(lodash.pick)"
    ]
}

npm / lodash.set

Package

Name: lodash.set; View open source insights on deps.dev
Purl: pkg:npm/lodash.set

Affected ranges

Type: SEMVER
Events: Introduced

3.7.0

Last affected

4.3.2

Ecosystem specific

{
    "affected_functions": [
        "(lodash.set)"
    ]
}

npm / lodash.setwith

Package

Name: lodash.setwith; View open source insights on deps.dev
Purl: pkg:npm/lodash.setwith

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.3.2

Ecosystem specific

{
    "affected_functions": [
        "(lodash.setwith)"
    ]
}

npm / lodash.update

Package

Name: lodash.update; View open source insights on deps.dev
Purl: pkg:npm/lodash.update

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.10.2

Ecosystem specific

{
    "affected_functions": [
        "(lodash.update)"
    ]
}

npm / lodash.updatewith

Package

Name: lodash.updatewith; View open source insights on deps.dev
Purl: pkg:npm/lodash.updatewith

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.10.2

Ecosystem specific

{
    "affected_functions": [
        "(lodash.updatewith)"
    ]
}