CVE-2019-10744

Summary

CVE	CVE-2019-10744
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-07-26 00:15:00 UTC
Updated	2024-01-21 02:45:00 UTC
Description	Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Risk And Classification

Problem Types: CWE-1321

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	F5	Big-ip Access Policy Manager	All	All	All	All
Application	F5	Big-ip Advanced Firewall Manager	All	All	All	All
Application	F5	Big-ip Analytics	All	All	All	All
Application	F5	Big-ip Analytics	All	All	All	All
Application	F5	Big-ip Analytics	All	All	All	All
Application	F5	Big-ip Analytics	All	All	All	All
Application	F5	Big-ip Application Acceleration Manager	All	All	All	All
Application	F5	Big-ip Application Security Manager	All	All	All	All
Application	F5	Big-ip Application Visibility And Reporting	All	All	All	All
Application	F5	Big-ip Application Visibility And Reporting	All	All	All	All
Application	F5	Big-ip Domain Name System	All	All	All	All
Application	F5	Big-ip Edge Gateway	All	All	All	All
Application	F5	Big-ip Fraud Protection Service	All	All	All	All
Application	F5	Big-ip Global Traffic Manager	All	All	All	All
Application	F5	Big-ip Link Controller	All	All	All	All
Application	F5	Big-ip Local Traffic Manager	All	All	All	All
Application	F5	Big-ip Policy Enforcement Manager	All	All	All	All
Application	F5	Big-ip Webaccelerator	All	All	All	All
Application	F5	Big-iq Centralized Management	5.4.0	All	All	All
Application	F5	Big-iq Centralized Management	7.0.0	All	All	All
Application	F5	Big-iq Centralized Management	All	All	All	All
Application	F5	Iworkflow	2.3.0	All	All	All
Application	Lodash	Lodash	All	All	All	All
Application	Lodash	Lodash	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Service Level Manager	-	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.3.0	All	All	All
Application	Oracle	Banking Extensibility Workbench	14.4.0	All	All	All
Application	Redhat	Virtualization Manager	4.3	All	All	All

References

Reference	Source	Link	Tags
myF5		support.f5.com
support.f5.com/csp/article/K47105354	CONFIRM	support.f5.com	Third Party Advisory
Prototype Pollution in lodash \| Snyk	CONFIRM	snyk.io	Exploit, Third Party Advisory
CVE-2019-10744 Lodash Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
904938 Common Base Linux Mariner (CBL-Mariner) Security Update for mozjs60 (12375)
905056 Common Base Linux Mariner (CBL-Mariner) Security Update for reaper (12623)
981687 Nodejs (npm) Security Update for lodash (GHSA-jf85-cpcp-j695)