CVE-2018-3721
lodash: Prototype pollution in utilities function
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
El módulo de node lodash en versiones anteriores a la 4.17.5 se ve afectada por una vulnerabilidad MAID (modificación de datos asumidos como asumible) mediante las funciones "defaultsDeep", "merge" y "mergeWith", lo que permite que un usuario malicioso modifique el prototipo de "Object" mediante __proto__, provocando la adición o modificación de una propiedad existente que va a existir en todos los objetos.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-06-14 First Exploit
- 2017-12-28 CVE Reserved
- 2018-06-07 CVE Published
- 2024-08-13 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-471: Modification of Assumed-Immutable Data (MAID)
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20190919-0004 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/ossf-cve-benchmark/CVE-2018-3721 | 2017-06-14 | |
| https://hackerone.com/reports/310443 | 2024-09-16 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a | 2024-02-16 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2018-3721 | 2021-10-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1545884 | 2021-10-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Lodash Search vendor "Lodash" | Lodash Search vendor "Lodash" for product "Lodash" | < 4.17.5 Search vendor "Lodash" for product "Lodash" and version " < 4.17.5" | node.js |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | linux |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||
| Netapp Search vendor "Netapp" | System Manager Search vendor "Netapp" for product "System Manager" | 9.0 Search vendor "Netapp" for product "System Manager" and version "9.0" | - |
Affected
| ||||||