CVE-2018-16487 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

path: /tmp/git/jenkins-material-theme/node_modules/applause/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Dependency Hierarchy:

• grunt-replace-0.11.0.tgz (Root Library)
  • applause-1.1.0.tgz
    • ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

path: /tmp/git/jenkins-material-theme/node_modules/findup-sync/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • findup-sync-0.1.3.tgz
    • ❌ lodash-2.4.2.tgz (Vulnerable Library)

lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/jenkins-material-theme/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ lodash-0.9.2.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

---

Step up your Open Source Security Game with WhiteSource here