EIQ-2019-0016#

ID	EIQ-2019-0016
CVE	CVE-2018-3721
Description	lodash enables prototype pollution
Date	22 Mar 2019
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	✅ 2.4.0
Assessment	The lodash Node.js module versions 4.17.4 and earlier make it possible for an attacker to exploit a Modification of Assumed-Immutable Data (MAID) vulnerability through the defaultsDeep, merge, and mergeWith functions. In this way, an attacker could add or modify object prototype properties via the `__proto__` accessor property. Modified properties are propagated through inheritance to all objects.
Mitigation	Update to lodash 4.17.11 or later.
Affected versions	2.3.4 and earlier.
Notes	For more information, see: CVE-2018-3721, Mitre report CVE-2018-3721, HackerOne report GitHub commit with the fix