[ { "Target": "package-lock.json", "Class": "lang-pkgs", "Type": "npm", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-11358", "PkgName": "jquery", "InstalledVersion": "3.3.9", "FixedVersion": "3.4.0", "Layer": { "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c" }, "SeveritySource": "nodejs-security-wg", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358", "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection", "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V2Score": 4.3, "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "V3Score": 5.6 } }, "References": [ "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html", "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html", "http://seclists.org/fulldisclosure/2019/May/10", "http://seclists.org/fulldisclosure/2019/May/11", "http://seclists.org/fulldisclosure/2019/May/13", "http://www.openwall.com/lists/oss-security/2019/06/03/2", "http://www.securityfocus.com/bid/108023", "https://access.redhat.com/errata/RHSA-2019:1456", "https://backdropcms.org/security/backdrop-sa-core-2019-009", "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358", "https://github.com/DanielRuf/snyk-js-jquery-174006?files=1", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b", "https://github.com/jquery/jquery/pull/4333", "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434", "https://hackerone.com/reports/454365", "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E", "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E", "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html", "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://seclists.org/bugtraq/2019/Apr/32", "https://seclists.org/bugtraq/2019/Jun/12", "https://seclists.org/bugtraq/2019/May/18", "https://snyk.io/vuln/SNYK-JS-JQUERY-174006", "https://www.debian.org/security/2019/dsa-4434", "https://www.debian.org/security/2019/dsa-4460", "https://www.drupal.org/sa-core-2019-006" ], "PublishedDate": "2019-04-20T00:29:00Z", "LastModifiedDate": "2019-06-12T17:29:00Z" }, { "VulnerabilityID": "CVE-2019-10744", "PkgName": "lodash", "InstalledVersion": "4.17.4", "FixedVersion": "4.17.12", "Layer": { "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "Severity": "CRITICAL", "CweIDs": [ "CWE-20" ], "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V2Score": 7.5, "V3Score": 9.8 }, "redhat": { "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "V3Score": 9.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2019:3024", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744", "https://github.com/lodash/lodash/issues/4348", "https://github.com/lodash/lodash/pull/4336", "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", "https://security.netapp.com/advisory/ntap-20191004-0005/", "https://snyk.io/vuln/SNYK-JS-LODASH-450202" ], "PublishedDate": "2019-07-26T00:15:00Z", "LastModifiedDate": "2019-10-04T09:15:00Z" }, { "VulnerabilityID": "CVE-2018-16487", "PkgName": "lodash", "InstalledVersion": "4.17.4", "FixedVersion": "4.17.11", "Layer": { "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c" }, "SeveritySource": "nodejs-security-wg", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", "Title": "lodash: Prototype pollution in utilities function", "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", "Severity": "HIGH", "CweIDs": [ "CWE-254" ], "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V2Score": 7.5, "V3Score": 9.8 }, "redhat": { "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "V3Score": 5.6 } }, "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487", "https://hackerone.com/reports/380873", "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", "https://security.netapp.com/advisory/ntap-20190919-0004/", "https://www.npmjs.com/advisories/782" ], "PublishedDate": "2019-02-01T18:29:00Z", "LastModifiedDate": "2019-09-19T17:15:00Z" }, { "VulnerabilityID": "CVE-2019-1010266", "PkgName": "lodash", "InstalledVersion": "4.17.4", "FixedVersion": "4.17.11", "Layer": { "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266", "Title": "Moderate severity vulnerability that affects lodash", "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V2Score": 4, "V3Score": 6.5 } }, "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266", "https://github.com/lodash/lodash/issues/3359", "https://github.com/lodash/lodash/wiki/Changelog", "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", "https://security.netapp.com/advisory/ntap-20190919-0004/", "https://snyk.io/vuln/SNYK-JS-LODASH-73639" ], "PublishedDate": "2019-07-17T21:15:00Z", "LastModifiedDate": "2019-09-19T17:15:00Z" }, { "VulnerabilityID": "CVE-2018-3721", "PkgName": "lodash", "InstalledVersion": "4.17.4", "FixedVersion": "4.17.5", "Layer": { "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c" }, "SeveritySource": "nodejs-security-wg", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", "Title": "lodash: Prototype pollution in utilities function", "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "Severity": "LOW", "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "V2Score": 4, "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 2.9 } }, "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721", "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", "https://hackerone.com/reports/310443", "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", "https://security.netapp.com/advisory/ntap-20190919-0004/" ], "PublishedDate": "2018-06-07T02:29:00Z", "LastModifiedDate": "2019-10-03T00:03:00Z" } ] } ]