Candidate: CVE-2018-3750
PublicDate: 2018-07-03 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
 https://nodesecurity.io/advisories/612
 https://github.com/unclechu/node-deep-extend/issues/39
 https://github.com/unclechu/node-deep-extend/pull/40
 https://hackerone.com/reports/311333
Description:
 The utilities function in all versions <= 0.5.0 of the deep-extend node
 module can be tricked into modifying the prototype of Object when the
 attacker can control part of the structure passed to this function. This
 can let an attacker add or modify existing properties that will exist on
 all objects.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_node-deep-extend:
 upstream: https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f
upstream_node-deep-extend: needs-triage
precise/esm_node-deep-extend: DNE
trusty_node-deep-extend: DNE
trusty/esm_node-deep-extend: DNE
xenial_node-deep-extend: DNE
artful_node-deep-extend: ignored (reached end-of-life)
bionic_node-deep-extend: needs-triage
cosmic_node-deep-extend: ignored (reached end-of-life)
disco_node-deep-extend: ignored (reached end-of-life)
eoan_node-deep-extend: not-affected (0.4.1-3)
focal_node-deep-extend: not-affected (0.4.1-3)
groovy_node-deep-extend: not-affected (0.4.1-3)
hirsute_node-deep-extend: not-affected (0.4.1-3)
impish_node-deep-extend: not-affected (0.4.1-3)
jammy_node-deep-extend: not-affected (0.4.1-3)
devel_node-deep-extend: not-affected (0.4.1-3)