LightTable
CVE-2018-16487 High Severity Vulnerability detected by WhiteSource
CVE-2018-16487 - High Severity Vulnerability
Vulnerable Libraries - lodash-3.7.0.tgz, lodash-3.2.0.tgz, lodash-4.13.1.tgz
lodash-3.7.0.tgz
The modern build of lodash modular utilities.
path: /JSHint/node_modules/jshint/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz
Dependency Hierarchy:
- :x: lodash-3.7.0.tgz (Vulnerable Library)
lodash-3.2.0.tgz
The modern build of lodash modular utilities.
path: /tmp/git/JSHint/node_modules/jshint/node_modules/xmlbuilder/node_modules/lodash/package.json
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz
Dependency Hierarchy:
- jscs-1.11.3.tgz (Root Library)
- xmlbuilder-2.5.2.tgz
- :x: lodash-3.2.0.tgz (Vulnerable Library)
- xmlbuilder-2.5.2.tgz
lodash-4.13.1.tgz
Lodash modular utilities.
path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz
Dependency Hierarchy:
- nodeunit-0.9.5.tgz (Root Library)
- tap-7.1.2.tgz
- nyc-7.1.0.tgz
- istanbul-lib-instrument-1.1.0-alpha.4.tgz
- babel-generator-6.11.4.tgz
- :x: lodash-4.13.1.tgz (Vulnerable Library)
- babel-generator-6.11.4.tgz
- istanbul-lib-instrument-1.1.0-alpha.4.tgz
- nyc-7.1.0.tgz
- tap-7.1.2.tgz
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "Published by a pub.dev verified publisher"){kind=small}