Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Las versiones de Lodash 4.0.0 a 4.17.22 son vulnerables a la contaminación de prototipos en las funciones _.unset y _.omit. Un atacante puede pasar rutas manipuladas que hacen que Lodash elimine métodos de prototipos globales. El problema permite la eliminación de propiedades, pero no permite sobrescribir su comportamiento original. Este problema está parcheado en 4.17.23
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | LOW |
| Availability Impact | NONE |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Attack Requirements | NONE |
| Privileges Required | NONE |
| User Interaction | NONE |
| Vulnerability Confidentiality | NONE |
| Vulnerability Integrity | LOW |
| Vulnerability Availability | LOW |
| Subsequent Confidentiality | HIGH |
| Subsequent Integrity | HIGH |
| Subsequent Availability | HIGH |
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Type: Secondary
| Source | Type | Description |
|---|---|---|
| ce714d77-add3-4f53-aff5-83d477b104bb | Secondary |
en
CWE-1321
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| lodash | lodash | * | <built-in method update of dict object at 0x7f76027f7140> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:* |