CVE-2018-16487 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-3.7.0.tgz, lodash-3.2.0.tgz, lodash-4.13.1.tgz

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

path: /JSHint/node_modules/jshint/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Dependency Hierarchy:

• ❌ lodash-3.7.0.tgz (Vulnerable Library)

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/xmlbuilder/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Dependency Hierarchy:

• jscs-1.11.3.tgz (Root Library)
  • xmlbuilder-2.5.2.tgz
    • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-4.13.1.tgz

Lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Dependency Hierarchy:

• nodeunit-0.9.5.tgz (Root Library)
  • tap-7.1.2.tgz
    • nyc-7.1.0.tgz
      • istanbul-lib-instrument-1.1.0-alpha.4.tgz
        • babel-generator-6.11.4.tgz
          • ❌ lodash-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

---

Step up your Open Source Security Game with WhiteSource here