WS-2018-0210 Low Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

WS-2018-0210 - Low Severity Vulnerability

Vulnerable Libraries - lodash-3.7.0.tgz, lodash-3.2.0.tgz, lodash-4.13.1.tgz

lodash-3.7.0.tgz

The modern build of lodash modular utilities.

path: /JSHint/node_modules/jshint/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.7.0.tgz

Dependency Hierarchy:

• ❌ lodash-3.7.0.tgz (Vulnerable Library)

lodash-3.2.0.tgz

The modern build of lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/xmlbuilder/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.2.0.tgz

Dependency Hierarchy:

• jscs-1.11.3.tgz (Root Library)
  • xmlbuilder-2.5.2.tgz
    • ❌ lodash-3.2.0.tgz (Vulnerable Library)

lodash-4.13.1.tgz

Lodash modular utilities.

path: /tmp/git/JSHint/node_modules/jshint/node_modules/nyc/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Dependency Hierarchy:

• nodeunit-0.9.5.tgz (Root Library)
  • tap-7.1.2.tgz
    • nyc-7.1.0.tgz
      • istanbul-lib-instrument-1.1.0-alpha.4.tgz
        • babel-generator-6.11.4.tgz
          • ❌ lodash-4.13.1.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

---

Step up your Open Source Security Game with WhiteSource here