Name of Vulnerability: CVE-2018-16487 (as a result of an incomplete fix made for CVE-2018-3721)
Type of Vulnerability: DoS, Remote code execution
Component Name: lodash (as present in npm)
Versions Affected: [4.17.5, 4.17.11)
CVSS 3.0 Score: 9.8
CVSS 3.0 Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Advisory Deviation: The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.
The `lodash` package is vulnerable to Prototype Pollution. The `safeGet()` function in the `lodash.js` file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Elisa Velarde. Read the original post at: https://blog.sonatype.com/cve-2018-16487-lodash-rce-prototype-pollution