Candidate: CVE-2018-3721
PublicDate: 2018-06-07 02:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721
 https://snyk.io/vuln/npm:lodash:20180130
 https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
 https://www.npmjs.com/advisories/577
Description:
 lodash node module before 4.17.5 suffers from a Modification of
 Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and
 mergeWith functions, which allows a malicious user to modify the prototype
 of "Object" via __proto__, causing the addition or modification of an
 existing property that will exist on all objects.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890575
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_node-lodash:
upstream_node-lodash: released (4.17.11+dfsg-2, 4.17.5)
precise/esm_node-lodash: DNE
trusty_node-lodash: DNE
trusty/esm_node-lodash: DNE
xenial_node-lodash: ignored (end of standard support, was needed)
artful_node-lodash: ignored (reached end-of-life)
bionic_node-lodash: needed
cosmic_node-lodash: ignored (reached end-of-life)
disco_node-lodash: not-affected (4.17.11+dfsg-2)
eoan_node-lodash: not-affected (4.17.11+dfsg-2)
focal_node-lodash: not-affected (4.17.11+dfsg-2)
groovy_node-lodash: not-affected (4.17.11+dfsg-2)
hirsute_node-lodash: not-affected (4.17.11+dfsg-2)
impish_node-lodash: not-affected (4.17.11+dfsg-2)
jammy_node-lodash: not-affected (4.17.11+dfsg-2)
devel_node-lodash: not-affected (4.17.11+dfsg-2)