BDSA-2018-3818(HIGH): Lodash is vulnerable to denial-of-service (DoS) as the user-controllable input to certain functions is not sufficiently checked, allowing an attacker to add or modify existing properties of presumably immutable Object data structure. An unauthenticated attacker can leverage this flaw to add arbitrary properties to objects used by the web application which can be leveraged to cause a crash or to prevent the server from responding to all requests.
This vulnerability may also lead to remote code execution (RCE) in some applications, depending on the implementation.
BDSA-2019-2112(HIGH): Lodash contains a prototype pollution flaw. An attacker could exploit this to modify the component or cause remote code execution or a denial-of-service (DoS).
BDSA-2019-3842(HIGH): Lodash contains a denial-of-service (DoS) vulnerability. This is due to multiple methods not validating the length of content supplied to it. If an application is passing untrusted-input to the Lodash library, it may be possible for an attacker to cause the process to crash, resulting in a DoS condition.
Please note that this issue is not considered by the vendor to be a vulnerability in Lodash, however it could be exploited if an application using Lodash accepts user input without validation and passes it to the affected functions. A pull request was opened to update the Lodash documentation regarding this issue but it was closed and not merged.
BDSA-2020-1674(HIGH): Lodash is vulnerable to remote code execution (RCE) due to the potential to modify the properties of objects in memory. A remote attacker could run arbitrary commands on a vulnerable server, or cause the server to crash, by maliciously crafting an object via the zip functionality of Lodash.
Note: this issue was not properly addressed and required an additional fix and disclosure (BDSA-2020-3839).
BDSA-2020-3839(HIGH): lodash is vulnerable to a prototype pollution flaw. A remote attacker may be able to supply specially crafted input to cause serious confidentiality, integrity and availability impacts to the application. In the past, such vulnerabilities have lead to remote code execution (RCE) in the end application.
BDSA-2021-0392(HIGH): Lodash is vulnerable to command injection via the template function. An attacker can take advantage of this vulnerability in order to run arbitrary commands.
Vulnerabilities associated with lodash/4.17.4
BDSA-2018-3818 (HIGH): Lodash is vulnerable to denial-of-service (DoS) as the user-controllable input to certain functions is not sufficiently checked, allowing an attacker to add or modify existing properties of presumably immutable
Objectdata structure. An unauthenticated attacker can leverage this flaw to add arbitrary properties to objects used by the web application which can be leveraged to cause a crash or to prevent the server from responding to all requests.This vulnerability may also lead to remote code execution (RCE) in some applications, depending on the implementation.
BDSA-2019-2112 (HIGH): Lodash contains a prototype pollution flaw. An attacker could exploit this to modify the component or cause remote code execution or a denial-of-service (DoS).
BDSA-2019-3842 (HIGH): Lodash contains a denial-of-service (DoS) vulnerability. This is due to multiple methods not validating the length of content supplied to it. If an application is passing untrusted-input to the Lodash library, it may be possible for an attacker to cause the process to crash, resulting in a DoS condition.
Please note that this issue is not considered by the vendor to be a vulnerability in Lodash, however it could be exploited if an application using Lodash accepts user input without validation and passes it to the affected functions. A pull request was opened to update the Lodash documentation regarding this issue but it was closed and not merged.
BDSA-2020-1674 (HIGH): Lodash is vulnerable to remote code execution (RCE) due to the potential to modify the properties of objects in memory. A remote attacker could run arbitrary commands on a vulnerable server, or cause the server to crash, by maliciously crafting an object via the zip functionality of Lodash.
Note: this issue was not properly addressed and required an additional fix and disclosure (BDSA-2020-3839).
BDSA-2020-3839 (HIGH): lodash is vulnerable to a prototype pollution flaw. A remote attacker may be able to supply specially crafted input to cause serious confidentiality, integrity and availability impacts to the application. In the past, such vulnerabilities have lead to remote code execution (RCE) in the end application.
BDSA-2021-0392 (HIGH): Lodash is vulnerable to command injection via the
templatefunction. An attacker can take advantage of this vulnerability in order to run arbitrary commands.Click Here To See More Details On Server