Closed mend-bolt-for-github[bot] closed 5 years ago
lodash-3.10.1.tgz
The modern build of lodash modular utilities.
path: /tmp/git/rainyday.js/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Lodash modular utilities.
path: /tmp/git/rainyday.js/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
path: /tmp/git/rainyday.js/node_modules/grunt-legacy-util/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-4.3.0.tgz
path: /tmp/git/rainyday.js/node_modules/jshint/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz
In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2018-11-25
URL: WS-2018-0210
Base Score Metrics not available
Type: Change files
Origin: https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
Release Date: 2018-08-31
Fix Resolution: Replace or update the following files: lodash.js, test.js
Step up your Open Source Security Game with WhiteSource here
WS-2018-0210 - Low Severity Vulnerability
Vulnerable Libraries - lodash-3.10.1.tgz, lodash-4.17.4.tgz, lodash-4.3.0.tgz, lodash-3.7.0.tgz
lodash-3.10.1.tgz
The modern build of lodash modular utilities.
path: /tmp/git/rainyday.js/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Dependency Hierarchy: - grunt-1.0.1.tgz (Root Library) - grunt-legacy-log-1.0.0.tgz - :x: **lodash-3.10.1.tgz** (Vulnerable Library)lodash-4.17.4.tgz
Lodash modular utilities.
path: /tmp/git/rainyday.js/node_modules/grunt-contrib-uglify/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy: - grunt-contrib-uglify-1.0.2.tgz (Root Library) - :x: **lodash-4.17.4.tgz** (Vulnerable Library)lodash-4.3.0.tgz
Lodash modular utilities.
path: /tmp/git/rainyday.js/node_modules/grunt-legacy-util/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-4.3.0.tgz
Dependency Hierarchy: - grunt-1.0.1.tgz (Root Library) - grunt-legacy-log-1.0.0.tgz - grunt-legacy-log-utils-1.0.0.tgz - :x: **lodash-4.3.0.tgz** (Vulnerable Library)lodash-3.7.0.tgz
The modern build of lodash modular utilities.
path: /tmp/git/rainyday.js/node_modules/jshint/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz
Dependency Hierarchy: - grunt-contrib-jshint-1.1.0.tgz (Root Library) - jshint-2.9.5.tgz - :x: **lodash-3.7.0.tgz** (Vulnerable Library)Vulnerability Details
In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2018-11-25
URL: WS-2018-0210
CVSS 2 Score Details (3.5)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
Release Date: 2018-08-31
Fix Resolution: Replace or update the following files: lodash.js, test.js
Step up your Open Source Security Game with WhiteSource here