Vulnerabilities > CVE-2019-10744
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
HIGH Summary
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Vulnerable Configurations
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3024.NASL description An update for ovirt-web-ui is now available for Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The ovirt-web-ui package provides the web interface for Red Hat Virtualization. Security Fix(es) : * nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * js-jquery: prototype pollution in object last seen 2020-06-01 modified 2020-06-02 plugin id 129862 published 2019-10-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129862 title RHEL 7 : Virtualization Manager (RHSA-2019:3024) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2019:3024. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(129862); script_version("1.4"); script_cvs_date("Date: 2019/12/19"); script_cve_id("CVE-2019-10744", "CVE-2019-11358", "CVE-2019-8331"); script_xref(name:"RHSA", value:"2019:3024"); script_name(english:"RHEL 7 : Virtualization Manager (RHSA-2019:3024)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An update for ovirt-web-ui is now available for Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The ovirt-web-ui package provides the web interface for Red Hat Virtualization. Security Fix(es) : * nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Known moderate severity security vulnerability detected by GitHub on ovirt-web-ui components (BZ#1694032)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:3024" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-8331" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10744" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-11358" ); script_set_attribute( attribute:"solution", value:"Update the affected ovirt-web-ui package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ovirt-web-ui"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2019:3024"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", reference:"ovirt-web-ui-1.6.0-1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ovirt-web-ui"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2362.NASL description The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2362 advisory. - nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744) - jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) - grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459) - nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-06-03 plugin id 137064 published 2020-06-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137064 title RHEL 7 / 8 : Red Hat OpenShift Service Mesh (RHSA-2020:2362) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:2362. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(137064); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id( "CVE-2019-10744", "CVE-2020-7598", "CVE-2020-11022", "CVE-2020-12459" ); script_xref(name:"RHSA", value:"2020:2362"); script_name(english:"RHEL 7 / 8 : Red Hat OpenShift Service Mesh (RHSA-2020:2362)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2362 advisory. - nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties (CVE-2019-10744) - jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) - grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459) - nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/79.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/732.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:2362"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-10744"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-11022"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-12459"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-7598"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1739497"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1813344"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1828406"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1829724"); script_set_attribute(attribute:"solution", value: "Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10744"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(20, 79, 732); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/26"); script_set_attribute(attribute:"patch_publication_date", value:"2020/06/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:service_mesh:1.0"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:service_mesh:1.0::el7"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:service_mesh:1.0::el8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jaeger"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kiali"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:servicemesh-grafana"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:servicemesh-grafana-prometheus"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^(7|8)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x / 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'jaeger-v1.13.1.redhat7-1.el7', 'cpu':'x86_64', 'release':'7'}, {'reference':'kiali-v1.0.11.redhat1-1.el7', 'cpu':'x86_64', 'release':'7'}, {'reference':'servicemesh-grafana-6.2.2-36.el8', 'cpu':'x86_64', 'release':'8'}, {'reference':'servicemesh-grafana-prometheus-6.2.2-36.el8', 'cpu':'x86_64', 'release':'8'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; allowmaj = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj']; if (reference && release) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++; } } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jaeger / kiali / servicemesh-grafana / etc'); }NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL47105354.NASL description Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. (CVE-2019-10744) Impact An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API. last seen 2020-05-16 modified 2020-04-24 plugin id 135940 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135940 title F5 Networks BIG-IP : lodash library vulnerability (K47105354) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K47105354. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(135940); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/22"); script_cve_id("CVE-2019-10744"); script_name(english:"F5 Networks BIG-IP : Lodash library vulnerability (K47105354)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. (CVE-2019-10744) Impact An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K47105354" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K47105354." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/26"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K47105354"; vmatrix = make_array(); # AFM vmatrix["AFM"] = make_array(); vmatrix["AFM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["AFM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # AM vmatrix["AM"] = make_array(); vmatrix["AM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["AM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["APM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["ASM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # GTM vmatrix["GTM"] = make_array(); vmatrix["GTM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["GTM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["LC"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["LTM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # PEM vmatrix["PEM"] = make_array(); vmatrix["PEM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["PEM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); # WAM vmatrix["WAM"] = make_array(); vmatrix["WAM"]["affected" ] = make_list("15.1.0","15.0.0-15.0.1","14.1.0-14.1.2","13.1.0-13.1.3","15.0.0-15.1.0","14.1.0-14.1.2","13.1.0-13.1.3","12.1.0-12.1.5"); vmatrix["WAM"]["unaffected"] = make_list("16.0.0","15.1.0.2","15.0.1.4","14.1.2.5","13.1.3.2","16.0.0","14.1.2.5","12.1.5.2"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get()); else security_hole(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }
Redhat
| advisories |
| ||||
| rpms |
|
The Hacker News
| id | THN:101765240E90491A3C0627908D36E708 |
| last seen | 2019-07-09 |
| modified | 2019-07-09 |
| published | 2019-07-09 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2019/07/lodash-prototype-pollution.html |
| title | Unpatched Prototype Pollution Flaw Affects All Versions of Popular Lodash Library |
References
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://security.netapp.com/advisory/ntap-20191004-0005/
- https://access.redhat.com/errata/RHSA-2019:3024
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS