Giters

nycbeardo / react-todolist

To do list built in React

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2019-10744 (Critical) detected in lodash.template-4.4.0.tgz, lodash-4.17.11.tgz

mend-bolt-for-github opened this issue · comments

commented

CVE-2019-10744 - Critical Severity Vulnerability

Vulnerable Libraries - lodash.template-4.4.0.tgz, lodash-4.17.11.tgz

lodash.template-4.4.0.tgz

The lodash method `_.template` exported as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz

Path to dependency file: /react-todolist/package.json

Path to vulnerable library: /node_modules/lodash.template/package.json

Dependency Hierarchy:

  • react-scripts-3.0.1.tgz (Root Library)
    • postcss-preset-env-6.6.0.tgz
      • postcss-initial-3.0.0.tgz
        • lodash.template-4.4.0.tgz (Vulnerable Library)
lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /react-todolist/package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • react-scripts-3.0.1.tgz (Root Library)
    • core-7.4.3.tgz
      • lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (react-scripts): 3.1.0

Fix Resolution (lodash): 4.5.0

Direct dependency fix Resolution (react-scripts): 3.1.0

Step up your Open Source Security Game with Mend here