Out-of-date Version (Lodash)

[Kiran]

Hello there,

We are using the cBioPortal version 6.2.0 and found a captioned vulnerability. Do you have any plans to upgrade Lodash?

Lodash version used: 4.17.11

Lodash latest version: 4.17.21

Please find the vulnerability below.

Thanks,

Kiran

1. Out-of-date Version (Lodash)

CRITICAL

1

Invicti Standard identified that the target web site is using Lodash and detected that it is out of date.

Impact

Since this is an old version of the software, it may be vulnerable to attacks.

Hide Known Vulnerabilities in Out-of-date Version (Lodash)

Lodash Other Vulnerability

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

External References

• CVE-2019-10744

Lodash Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Vulnerability

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

CVSS

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

External References

• CVE-2020-8203

Lodash Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

External References

• CVE-2021-23337

Lodash Other Vulnerability

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

External References

• CVE-2020-28500