CVE-2019-10744

Aliases:GHSA-jf85-cpcp-j695SNYK-JS-LODASH-450202

Advisory lineage Upstream: 0 Downstream: 4

Downstream

DEBIAN-CVE-2019-10744 RHSA-2019:3024 RHSA-2020:2362 UBUNTU-CVE-2019-10744

Modified

Published: 25 Jul 2019, 23:43

Last modified:04 Aug 2024, 22:32

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.1 (nvd)

EPSS Score

18.52% MEDIUM

19% probability +16.08%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

25 Jul 2019, 23:43

Published

Vulnerability first disclosed

04 Aug 2024, 22:32

Last Modified

Vulnerability information updated

Description

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS Metrics

v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
v2.0•MEDIUM•Score: 6.4AV:N/AC:L/Au:N/C:N/I:P/A:P

EPSS Trends

Current EPSS score: 18.52%• Percentile: 95%

Techniques & Countermeasures

CWE-1321•Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Systems

f5•big-ip_access_policy_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_advanced_firewall_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_analytics
≥ 12.1.0, ≤ 12.1.5 | ≥ 13.1.0, ≤ 13.1.3 | ≥ 14.1.0, ≤ 14.1.2 | ≥ 15.0.0, < 15.0.1.3 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_application_acceleration_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_application_security_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_application_visibility_and_reporting
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, ≤ 13.1.3 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.1.0, < 15.1.1
f5•big-ip_domain_name_system
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_edge_gateway
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_fraud_protection_service
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_global_traffic_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_link_controller
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_local_traffic_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_policy_enforcement_manager
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-ip_webaccelerator
≥ 12.1.0, < 12.1.5.2 | ≥ 13.1.0, < 13.1.3.4 | ≥ 14.1.0, < 14.1.2.5 | ≥ 15.0.0, < 15.0.1.4 | ≥ 15.1.0, < 15.1.0.2
f5•big-iq_centralized_management
≥ 6.0.0, ≤ 6.1.0 | 5.4.0 | 7.0.0
f5•iworkflow
2.3.0
RubyGems•lodash-rails
< 4.17.12
lodash•lodash
< 4.17.12
netapp•active_iq_unified_manager
na
netapp•service_level_manager
na
Npm•lodash
< 4.17.12
Npm•lodash-amd
< 4.17.13
Npm•lodash-es
< 4.17.14
Npm•lodash.defaultsdeep
< 4.6.1
oracle•banking_extensibility_workbench
14.3.0 | 14.4.0
redhat•virtualization_manager
4.3
snyk•lodash
All versions prior to 4.17.12