CVE-2018-16487 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-4.17.5.tgz

lodash-4.17.10.tgz

Lodash modular utilities.

path: /tmp/git/bit/node_modules/eslint-plugin-import/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz

Dependency Hierarchy:

• eslint-plugin-flowtype-2.47.1.tgz (Root Library)
  • ❌ lodash-4.17.10.tgz (Vulnerable Library)

lodash-4.17.5.tgz

Lodash modular utilities.

path: /tmp/git/bit/node_modules/babel-types/node_modules/lodash/package.json

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz

Dependency Hierarchy:

• table-4.0.3.tgz (Root Library)
  • ❌ lodash-4.17.5.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

---

Step up your Open Source Security Game with WhiteSource here