Bug 1545884 – CVE-2018-3721 lodash: Prototype pollution in utilities function

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1545884 - (CVE-2018-3721) CVE-2018-3721 lodash: Prototype pollution in utilities function

Summary:	CVE-2018-3721 lodash: Prototype pollution in utilities function

Status:	NEW

Aliases:	CVE-2018-3721

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180215,reported=2...
Keywords:	Security

Depends On:	1545885 1545887 1549920 1549921 1545886 1549919
Blocks:	1545889
	Show dependency tree / graph

Reported:	2018-02-15 13:50 EST by Pedro Sampaio
Modified:	2018-06-29 18:32 EDT (History)
CC List:	31 users (show)

See Also:
Fixed In Version:	lodash 4.17.5
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-02-15 13:50:28 EST

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property leading to potential denial of service.

Upstream patch:

https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

References:

https://snyk.io/vuln/npm:lodash:20180130
https://hackerone.com/reports/310443

Comment 1 Pedro Sampaio 2018-02-15 13:50:59 EST

Created lodash tracking bugs for this issue:

Affects: fedora-all [bug 1545887]


Created nodejs-lodash tracking bugs for this issue:

Affects: epel-all [bug 1545885]

Comment 3 Jason Shepherd 2018-02-16 00:18:25 EST

Node of the libraries, or services using the lodash in RHMAP call the vulnerable methods with the expection of the _send function in 'sendgrid' version 1.9.1. For 'sendgrid' the parameters passed to 'lodash.merge' are not obtained from user input:

https://github.com/sendgrid/sendgrid-nodejs/blob/967fb3105908617b41b761d3f18bbc623eb4579a/lib/sendgrid.js#L70

Note You need to log in before you can comment on or make changes to this bug.

bleanhar
ccoleman
cpelland
dajohnso
dclarizi
dedgar
dffrench
dmcphers
drusso
gblomqui
gmccullo
gtanzill
hhudgeon
jamielinux
jfrey
jgoulding
jhardy
jkeck
jmadigan
jprause
jshepherd
lgriffin
ngough
obarenbo
pwright
rhel8-maint
roliveri
rrajasek
simaishi
tjay
trepel