[wp-trac] [WordPress Trac] #49732: lodash 4.17.15 The lodash package is vulnerable to Prototype Pollution.
WordPress Trac
noreply at wordpress.org
Tue Mar 31 03:41:42 UTC 2020
#49732: lodash 4.17.15 The lodash package is vulnerable to Prototype Pollution.
--------------------------+-----------------------------
Reporter: tlterry | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: critical | Keywords:
Focuses: |
--------------------------+-----------------------------
Hi WordPress,
I am having the following issue. Can you please have a look issue how do
we resolve it? Thank you.
EXPLANATION
The lodash package is vulnerable to Prototype Pollution. The template
function in lodash.js, template.js, and lodash.min.js does not account for
unicode newline characters when filtering the sourceURL property of the
options object. Because of how the options object is used, an attacker who
can control the source URL can leverage this to alter properties on the
prototype chain, which can cause other sections of code to behave in an
arbitrary and malicious way.
Please note that this vulnerability is due to an incomplete fix in
sonatype-2019-0500.
DETECTION
The application is vulnerable by using this component.
RECOMMENDATION
There is no non vulnerable version of this component/package. We recommend
investigating alternative components or a potential mitigating control.
ROOT CAUSE
lodash-4.17.15.tgzMETA-
INF/resources/webjars/lodash/4.17.15/template.js[4.17.13, )
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49732>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list