CVE DATABASE / CVE-2018-3721
CVE-2018-3721
CVSS 6.5 · MEDIUM
Summary
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
CVSS 3.1 breakdown
| Base score | 6.5 (MEDIUM) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity | HIGH |
| Availability | NONE |
Weakness type (CWE)
Affected products
Lodash lodashNetapp active iq unified managerNetapp system manager
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
- https://hackerone.com/reports/310443
- https://security.netapp.com/advisory/ntap-20190919-0004/
Data: NIST NVD. NVD last modified 2024-11-21. Always verify against the vendor advisory before acting.