CVE DATABASE / CVE-2019-10744
CVE-2019-10744
CVSS 9.1 · CRITICAL
Summary
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVSS 3.1 breakdown
| Base score | 9.1 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Lodash lodashNetapp active iq unified managerNetapp service level managerRedhat virtualization managerOracle banking extensibility workbenchF5 big-ip access policy managerF5 big-ip advanced firewall managerF5 big-ip analyticsF5 big-ip application acceleration managerF5 big-ip application security managerF5 big-ip application visibility and reportingF5 big-ip domain name systemF5 big-ip edge gatewayF5 big-ip fraud protection serviceF5 big-ip global traffic managerF5 big-ip link controllerF5 big-ip local traffic managerF5 big-ip policy enforcement managerF5 big-ip webacceleratorF5 big-iq centralized management
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://access.redhat.com/errata/RHSA-2019:3024
- https://security.netapp.com/advisory/ntap-20191004-0005/
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
Data: NIST NVD. NVD last modified 2024-11-21. Always verify against the vendor advisory before acting.