Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property leading to potential denial of service. Upstream patch: https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a References: https://snyk.io/vuln/npm:lodash:20180130 https://hackerone.com/reports/310443
Created lodash tracking bugs for this issue: Affects: fedora-all [bug 1545887] Created nodejs-lodash tracking bugs for this issue: Affects: epel-all [bug 1545885]
Node of the libraries, or services using the lodash in RHMAP call the vulnerable methods with the expection of the _send function in 'sendgrid' version 1.9.1. For 'sendgrid' the parameters passed to 'lodash.merge' are not obtained from user input: https://github.com/sendgrid/sendgrid-nodejs/blob/967fb3105908617b41b761d3f18bbc623eb4579a/lib/sendgrid.js#L70
Statement: Red Hat CloudForms version 4.7 does not ship component lodash, so isn't affected by this flaw. Red Hat Virtualization 4.2 EUS includes a vulnerable version of lodash as part of the ovirt-engine-dashboard package. This package has been removed from Red Hat Virtualization 4.3.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-3721
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917