Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2018-3721 / CVE-2018-16487] Lodash security issues #5

Closed
saitho opened this issue Feb 4, 2019 · 4 comments
Closed

[CVE-2018-3721 / CVE-2018-16487] Lodash security issues #5

saitho opened this issue Feb 4, 2019 · 4 comments
Assignees
@saitho
Labels
Security issue
Milestone
v1.2.1

Comments

@saitho
Copy link
Owner

saitho commented Feb 4, 2019
edited
Loading

CVE-2018-3721

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Remediation: Upgrade lodash to version 4.17.5 or later.

CVE-2018-16487

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Remediation: Upgrade lodash to version 4.17.11 or later.
@saitho saitho self-assigned this Feb 4, 2019
@saitho saitho added this to the v1.2.0 milestone Feb 5, 2019
@saitho
Copy link
Owner Author

saitho commented Feb 9, 2019

Lodash is a depency by node-git-describe. Therefore a pull request was opened for that: tvdstaaij/node-git-describe#10

@saitho saitho changed the title [CVE-2018-3721] loadash security issue [CVE-2018-3721 / CVE-2018-16487] Lodash security issues Feb 9, 2019
@saitho saitho modified the milestones: v1.2.0, v1.2.1 Feb 9, 2019
@saitho
Copy link
Owner Author

saitho commented Jul 9, 2019

Should be fixed by applying the needed patch via Snyk.

@saitho saitho closed this as completed Jul 9, 2019
@saitho
Copy link
Owner Author

saitho commented Jul 9, 2019

Actually reopening this as the latest release of git-describe should be used here.

@saitho saitho reopened this Jul 9, 2019
@saitho
Copy link
Owner Author

saitho commented Sep 18, 2019

Dependencies updated.

@saitho saitho closed this as completed Sep 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@saitho saitho

Labels
Security issue
Projects
None yet
Milestone
v1.2.1
Development

No branches or pull requests
1 participant
@saitho