#VU37072 Input validation error in Lodash - CVE-2018-3721

Cybersecurity Help s.r.o.

Published: 2018-06-07 | Updated: 2020-08-08

Vulnerability identifier: #VU37072

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-3721

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Lodash
Web applications / JS libraries

Vendor: Lodash

Description

The vulnerability allows a remote authenticated user to manipulate data.

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Lodash: 4.17.0 - 4.17.4

External links
https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
https://hackerone.com/reports/310443
https://security.netapp.com/advisory/ntap-20190919-0004/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM MobileFirst Platform Foundation

Multiple vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM Security Verify Governance

Multiple vulnerabilities in IBM Process Mining

Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM

Multiple vulnerabilities in IBM Tivoli Netcool/OMNIbus WebGUI

Input validation error in Lodash