search

mubaidr / rainyday.js

Simulating raindrops falling on a window
https://mubaidr.github.io/rainyday.js/
GNU General Public License v2.0
114 stars 44 forks source link

CVE-2018-3721 Medium Severity Vulnerability detected by WhiteSource #8

Closed mend-bolt-for-github[bot] closed 5 years ago

mend-bolt-for-github[bot] commented 5 years ago

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-4.17.4.tgz, lodash-4.3.0.tgz, lodash-3.7.0.tgz

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

path: /tmp/git/rainyday.js/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy: - grunt-1.0.1.tgz (Root Library) - grunt-legacy-log-1.0.0.tgz - :x: **lodash-3.10.1.tgz** (Vulnerable Library)
lodash-4.17.4.tgz

Lodash modular utilities.

path: /tmp/git/rainyday.js/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Dependency Hierarchy: - grunt-contrib-uglify-1.0.2.tgz (Root Library) - :x: **lodash-4.17.4.tgz** (Vulnerable Library)
lodash-4.3.0.tgz

Lodash modular utilities.

path: /tmp/git/rainyday.js/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-4.3.0.tgz

Dependency Hierarchy: - grunt-1.0.1.tgz (Root Library) - grunt-legacy-log-1.0.0.tgz - grunt-legacy-log-utils-1.0.0.tgz - :x: **lodash-4.3.0.tgz** (Vulnerable Library)
lodash-3.7.0.tgz

The modern build of lodash modular utilities.

path: /tmp/git/rainyday.js/node_modules/jshint/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Dependency Hierarchy: - grunt-contrib-jshint-1.1.0.tgz (Root Library) - jshint-2.9.5.tgz - :x: **lodash-3.7.0.tgz** (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3721

Fix Resolution: Upgrade to version lodash 4.17.5 or greater

Step up your Open Source Security Game with WhiteSource here