Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-3721 (GCVE-0-2018-3721)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 22:34
VLAI?
EPSS
Summary
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Severity ?
No CVSS data available.
CWE
- CWE-471 - Modification of Assumed-Immutable Data (MAID) (CWE-471)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | lodash node module |
Affected:
Versions before 4.17.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/310443"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lodash node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "Versions before 4.17.5"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "Modification of Assumed-Immutable Data (MAID) (CWE-471)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-19T16:06:08.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/310443"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3721",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash node module",
"version": {
"version_data": [
{
"version_value": "Versions before 4.17.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/310443",
"refsource": "MISC",
"url": "https://hackerone.com/reports/310443"
},
{
"name": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3721",
"datePublished": "2018-06-07T02:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:34:54.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2022-AVI-924
Vulnerability from certfr_avis - Published: 2022-10-18 - Updated: 2022-10-18
De multiples vulnérabilités ont été découvertes dans IBM QRadar. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM QRadar Pulse App versions ant\u00e9rieures \u00e0 2.2.9",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Analyst Workflow versions ant\u00e9rieures \u00e0 2.31.4",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"name": "CVE-2018-3721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3721"
},
{
"name": "CVE-2021-22959",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
},
{
"name": "CVE-2020-7788",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7788"
},
{
"name": "CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"name": "CVE-2021-33502",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33502"
},
{
"name": "CVE-2021-32804",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32804"
},
{
"name": "CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2022-0155",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0155"
},
{
"name": "CVE-2021-22960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
},
{
"name": "CVE-2021-37713",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37713"
},
{
"name": "CVE-2018-25031",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25031"
},
{
"name": "CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"name": "CVE-2019-1010266",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1010266"
},
{
"name": "CVE-2021-3807",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
},
{
"name": "CVE-2019-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
},
{
"name": "CVE-2022-0536",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0536"
},
{
"name": "CVE-2021-32803",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32803"
},
{
"name": "CVE-2021-23346",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23346"
},
{
"name": "CVE-2021-23566",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23566"
},
{
"name": "CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"name": "CVE-2020-8203",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
},
{
"name": "CVE-2018-16487",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16487"
},
{
"name": "CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"name": "CVE-2021-3765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3765"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2020-28469",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28469"
},
{
"name": "CVE-2020-7598",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
},
{
"name": "CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
}
],
"initial_release_date": "2022-10-18T00:00:00",
"last_revision_date": "2022-10-18T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-924",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6827633 du 17 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6827633"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6830017 du 17 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6830017"
}
]
}
CERTFR-2022-AVI-928
Vulnerability from certfr_avis - Published: 2022-10-19 - Updated: 2022-10-19
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | QRadar | IBM QRadar Pulse App versions antérieures à 2.2.9 | ||
| IBM | N/A | CP4BA version 22.0.1 sans le correctif de sécurité CP4BA 22.0.1-IF2 | ||
| IBM | Cloud Pak | IBM Robotic Process Automation pour Cloud Pak versions antérieures à 21.0.5 | ||
| IBM | N/A | IBM ECM CMIS et FileNet Collaboration Services version 3.0.6 sans le correctif de sécurité CMIS 3.0.6-IF2 | ||
| IBM | Cognos Analytics | IBM Cognos Analytics versions 11.2.x antérieures à 11.2.3 | ||
| IBM | Cognos Analytics | IBM Cognos Analytics versions 11.1.x antérieures à 11.1.7 FP6 | ||
| IBM | N/A | CP4BA version 21.0.3 sans le correctif de sécurité CP4BA 21.0.3-IF12 | ||
| IBM | N/A | Enterprise Content Management System Monitor (ESM) versions 5.5.x antérieures à 5.5.9 | ||
| IBM | QRadar User Behavior Analytics | QRadar User Behavior Analytics version 4.1.8 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM QRadar Pulse App versions ant\u00e9rieures \u00e0 2.2.9",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "CP4BA version 22.0.1 sans le correctif de s\u00e9curit\u00e9 CP4BA 22.0.1-IF2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Robotic Process Automation pour Cloud Pak versions ant\u00e9rieures \u00e0 21.0.5",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM ECM CMIS et FileNet Collaboration Services version 3.0.6 sans le correctif de s\u00e9curit\u00e9 CMIS 3.0.6-IF2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.3",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cognos Analytics versions 11.1.x ant\u00e9rieures \u00e0 11.1.7 FP6",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "CP4BA version 21.0.3 sans le correctif de s\u00e9curit\u00e9 CP4BA 21.0.3-IF12",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Enterprise Content Management System Monitor (ESM) versions 5.5.x ant\u00e9rieures \u00e0 5.5.9",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar User Behavior Analytics version 4.1.8",
"product": {
"name": "QRadar User Behavior Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"name": "CVE-2018-3721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3721"
},
{
"name": "CVE-2022-22965",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22965"
},
{
"name": "CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"name": "CVE-2021-22959",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22959"
},
{
"name": "CVE-2020-7788",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7788"
},
{
"name": "CVE-2021-3733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3733"
},
{
"name": "CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"name": "CVE-2021-34538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34538"
},
{
"name": "CVE-2021-33502",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33502"
},
{
"name": "CVE-2019-9947",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9947"
},
{
"name": "CVE-2018-20852",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20852"
},
{
"name": "CVE-2021-32804",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32804"
},
{
"name": "CVE-2022-25647",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
},
{
"name": "CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"name": "CVE-2022-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0391"
},
{
"name": "CVE-2020-26116",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26116"
},
{
"name": "CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"name": "CVE-2020-4051",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-4051"
},
{
"name": "CVE-2019-9636",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9636"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2019-10202",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10202"
},
{
"name": "CVE-2021-4160",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4160"
},
{
"name": "CVE-2021-22960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22960"
},
{
"name": "CVE-2021-37713",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37713"
},
{
"name": "CVE-2021-43138",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43138"
},
{
"name": "CVE-2018-25031",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25031"
},
{
"name": "CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"name": "CVE-2021-3711",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3711"
},
{
"name": "CVE-2012-5783",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5783"
},
{
"name": "CVE-2019-1010266",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1010266"
},
{
"name": "CVE-2021-3807",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
},
{
"name": "CVE-2019-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
},
{
"name": "CVE-2021-4189",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4189"
},
{
"name": "CVE-2020-9492",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9492"
},
{
"name": "CVE-2019-9740",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9740"
},
{
"name": "CVE-2021-23450",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23450"
},
{
"name": "CVE-2021-32803",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32803"
},
{
"name": "CVE-2021-3737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3737"
},
{
"name": "CVE-2020-15523",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15523"
},
{
"name": "CVE-2020-27619",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27619"
},
{
"name": "CVE-2020-8492",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8492"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2021-3177",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3177"
},
{
"name": "CVE-2019-18348",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-18348"
},
{
"name": "CVE-2019-0205",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0205"
},
{
"name": "CVE-2019-10172",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10172"
},
{
"name": "CVE-2022-34339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34339"
},
{
"name": "CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"name": "CVE-2020-8203",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8203"
},
{
"name": "CVE-2018-16487",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16487"
},
{
"name": "CVE-2021-3712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3712"
},
{
"name": "CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"name": "CVE-2018-20406",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20406"
},
{
"name": "CVE-2011-4969",
"url": "https://www.cve.org/CVERecord?id=CVE-2011-4969"
},
{
"name": "CVE-2021-3765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3765"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"name": "CVE-2012-6708",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6708"
},
{
"name": "CVE-2020-7656",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7656"
},
{
"name": "CVE-2020-28469",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28469"
},
{
"name": "CVE-2020-7598",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7598"
},
{
"name": "CVE-2019-16935",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16935"
},
{
"name": "CVE-2022-26488",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26488"
},
{
"name": "CVE-2022-24758",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24758"
},
{
"name": "CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
}
],
"initial_release_date": "2022-10-19T00:00:00",
"last_revision_date": "2022-10-19T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-928",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-10-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6830211 du 18 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6830211"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6830243 du 18 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6830243"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6828527 du 17 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6828527"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6830257 du 18 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6830257"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6830265 du 18 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6830265"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6830017 du 18 octobre 2022",
"url": "https://www.ibm.com/support/pages/node/6830017"
}
]
}
CERTFR-2024-AVI-0630
Vulnerability from certfr_avis - Published: 2024-07-26 - Updated: 2024-07-26
De multiples vulnérabilités ont été découvertes dans IBM QRadar. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QRadar Pulse App versions ant\u00e9rieures \u00e0 2.2.14",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Data Synchronization App versions ant\u00e9rieures \u00e0 3.2.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Network Packet Capture versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 Update Package 8",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40217"
},
{
"name": "CVE-2018-3721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3721"
},
{
"name": "CVE-2024-29041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29041"
},
{
"name": "CVE-2024-28834",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28834"
},
{
"name": "CVE-2021-23364",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23364"
},
{
"name": "CVE-2023-51385",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51385"
},
{
"name": "CVE-2024-4068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4068"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2024-33602",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33602"
},
{
"name": "CVE-2023-3817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3817"
},
{
"name": "CVE-2021-23436",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23436"
},
{
"name": "CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"name": "CVE-2023-36632",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36632"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2024-29415",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29415"
},
{
"name": "CVE-2023-45133",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45133"
},
{
"name": "CVE-2024-33600",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33600"
},
{
"name": "CVE-2023-4813",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4813"
},
{
"name": "CVE-2024-33599",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33599"
},
{
"name": "CVE-2016-10540",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10540"
},
{
"name": "CVE-2020-28477",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28477"
},
{
"name": "CVE-2023-5981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5981"
},
{
"name": "CVE-2024-4067",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4067"
},
{
"name": "CVE-2022-43441",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43441"
},
{
"name": "CVE-2021-43138",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43138"
},
{
"name": "CVE-2023-48795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48795"
},
{
"name": "CVE-2023-0842",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0842"
},
{
"name": "CVE-2024-27983",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27983"
},
{
"name": "CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"name": "CVE-2024-27982",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27982"
},
{
"name": "CVE-2023-3341",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
},
{
"name": "CVE-2023-5156",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5156"
},
{
"name": "CVE-2024-0553",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0553"
},
{
"name": "CVE-2023-3609",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3609"
},
{
"name": "CVE-2022-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
},
{
"name": "CVE-2024-33601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33601"
},
{
"name": "CVE-2024-27088",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27088"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2021-24033",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-24033"
},
{
"name": "CVE-2024-28863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
},
{
"name": "CVE-2024-31905",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31905"
},
{
"name": "CVE-2023-4806",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4806"
},
{
"name": "CVE-2018-16487",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16487"
},
{
"name": "CVE-2021-42740",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42740"
},
{
"name": "CVE-2016-10538",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10538"
},
{
"name": "CVE-2023-35001",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35001"
},
{
"name": "CVE-2024-28835",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28835"
},
{
"name": "CVE-2023-32233",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32233"
},
{
"name": "CVE-2023-42282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42282"
},
{
"name": "CVE-2023-39615",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39615"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2023-0361",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0361"
},
{
"name": "CVE-2023-5678",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
},
{
"name": "CVE-2024-2961",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2961"
},
{
"name": "CVE-2024-0567",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0567"
},
{
"name": "CVE-2021-3757",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3757"
}
],
"initial_release_date": "2024-07-26T00:00:00",
"last_revision_date": "2024-07-26T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0630",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-07-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar",
"vendor_advisories": [
{
"published_at": "2024-07-24",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7161462",
"url": "https://www.ibm.com/support/pages/node/7161462"
},
{
"published_at": "2024-07-23",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7160961",
"url": "https://www.ibm.com/support/pages/node/7160961"
},
{
"published_at": "2024-07-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7160858",
"url": "https://www.ibm.com/support/pages/node/7160858"
}
]
}
CERTFR-2022-AVI-266
Vulnerability from certfr_avis - Published: 2022-03-23 - Updated: 2022-03-23
De multiples vulnérabilités ont été découvertes dans IBM WebSphere Service Registry and Repository. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WebSphere Service Registry and Repository versions 8.5.x ant\u00e9rieures \u00e0 8.5.6.3",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-3721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3721"
},
{
"name": "CVE-2017-1000427",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1000427"
},
{
"name": "CVE-2018-15494",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15494"
},
{
"name": "CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"name": "CVE-2014-0114",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0114"
},
{
"name": "CVE-2019-14863",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14863"
},
{
"name": "CVE-2020-7676",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7676"
},
{
"name": "CVE-2017-18640",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18640"
},
{
"name": "CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"name": "CVE-2016-10531",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10531"
},
{
"name": "CVE-2019-10086",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10086"
},
{
"name": "CVE-2015-8854",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8854"
},
{
"name": "CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"name": "CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
}
],
"initial_release_date": "2022-03-23T00:00:00",
"last_revision_date": "2022-03-23T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-266",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-03-23T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM WebSphere\nService Registry and Repository. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un\nd\u00e9ni de service \u00e0 distance et un contournement de la politique de\ns\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM WebSphere Service Registry and Repository",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6565389 du 22 mars 2022",
"url": "https://www.ibm.com/support/pages/node/6565389"
}
]
}
CERTFR-2018-AVI-589
Vulnerability from certfr_avis - Published: 2018-12-10 - Updated: 2018-12-11
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | N/A | IBM Cúram Social Program Management (SPM) versions 6.1.x antérieures à 6.1.1.6 iFix2 | ||
| IBM | N/A | IBM Security SiteProtector System versions 3.0.0.x antérieures à 3.0.0.20 | ||
| IBM | N/A | IBM Cúram Social Program Management (SPM) versions 7.x antérieures à 7.0.4.0 iFix1 | ||
| IBM | N/A | VRA - Vyatta 5600 | ||
| IBM | WebSphere | IBM Java SDK dans IBM WebSphere Application Server versions 1.0.0.0 à 1.0.0.7 et 2.2.0.0 à 2.2.6.0 | ||
| IBM | N/A | IBM Cúram Social Program Management (SPM) versions 6.2.x antérieures à 6.2.0.6 iFix2 | ||
| IBM | QRadar | IBM QRadar Network Security versions 5.5.x antérieures à 5.5.0.1 | ||
| IBM | N/A | IBM DataPower Gateway versions 7.6.x antérieures à 7.6.0.3 | ||
| IBM | N/A | IBM Social Program Management Design System versions antérieures à 1.4.0 | ||
| IBM | N/A | IBM Cúram Social Program Management (SPM) versions 6.0.5.x antérieures à 6.0.5.10 iFix4 | ||
| IBM | N/A | IBM DataPower Gateway versions 7.1.x antérieures à 7.1.0.20 | ||
| IBM | N/A | IBM DataPower Gateway versions 7.5.2.x antérieures à 7.2.10 | ||
| IBM | N/A | IBM Cúram Social Program Management (SPM) versions 7.0.x antérieures à 7.0.1.3 | ||
| IBM | N/A | IBM Lotus Protector for Mail Security version 2.8.1.0 | ||
| IBM | N/A | IBM DataPower Gateway versions 7.2.x antérieures à 7.2.0.17 | ||
| IBM | QRadar | IBM QRadar Network Security versions 5.4.x antérieures à 5.4.0.6 | ||
| IBM | N/A | IBM DataPower Gateway versions 7.5.1.x antérieures à 7.1.10 | ||
| IBM | N/A | IBM Security SiteProtector System versions 3.1.1.x antérieures à 3.1.1.17 | ||
| IBM | N/A | IBM DataPower Gateway versions 7.5.0.x antérieures à 7.5.0.11 | ||
| IBM | WebSphere | WebSphere Application Server versions antérieures à 9.0.0.10 | ||
| IBM | N/A | IBM Voice Gateway versions antérieures à 1.0.0.7a | ||
| IBM | N/A | IBM Lotus Protector for Mail Security version 2.8.3.0 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM C\u00faram Social Program Management (SPM) versions 6.1.x ant\u00e9rieures \u00e0 6.1.1.6 iFix2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Security SiteProtector System versions 3.0.0.x ant\u00e9rieures \u00e0 3.0.0.20",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM C\u00faram Social Program Management (SPM) versions 7.x ant\u00e9rieures \u00e0 7.0.4.0 iFix1",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "VRA - Vyatta 5600",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Java SDK dans IBM WebSphere Application Server versions 1.0.0.0 \u00e0 1.0.0.7 et 2.2.0.0 \u00e0 2.2.6.0",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM C\u00faram Social Program Management (SPM) versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.6 iFix2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Network Security versions 5.5.x ant\u00e9rieures \u00e0 5.5.0.1",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM DataPower Gateway versions 7.6.x ant\u00e9rieures \u00e0 7.6.0.3",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Social Program Management Design System versions ant\u00e9rieures \u00e0 1.4.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM C\u00faram Social Program Management (SPM) versions 6.0.5.x ant\u00e9rieures \u00e0 6.0.5.10 iFix4",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM DataPower Gateway versions 7.1.x ant\u00e9rieures \u00e0 7.1.0.20",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM DataPower Gateway versions 7.5.2.x ant\u00e9rieures \u00e0 7.2.10",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM C\u00faram Social Program Management (SPM) versions 7.0.x ant\u00e9rieures \u00e0 7.0.1.3",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Lotus Protector for Mail Security version 2.8.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM DataPower Gateway versions 7.2.x ant\u00e9rieures \u00e0 7.2.0.17",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Network Security versions 5.4.x ant\u00e9rieures \u00e0 5.4.0.6",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM DataPower Gateway versions 7.5.1.x ant\u00e9rieures \u00e0 7.1.10",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Security SiteProtector System versions 3.1.1.x ant\u00e9rieures \u00e0 3.1.1.17",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM DataPower Gateway versions 7.5.0.x ant\u00e9rieures \u00e0 7.5.0.11",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Application Server versions ant\u00e9rieures \u00e0 9.0.0.10",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Voice Gateway versions ant\u00e9rieures \u00e0 1.0.0.7a",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Lotus Protector for Mail Security version 2.8.3.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-16058",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16058"
},
{
"name": "CVE-2018-10873",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10873"
},
{
"name": "CVE-2018-3721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3721"
},
{
"name": "CVE-2018-16396",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16396"
},
{
"name": "CVE-2018-0737",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-0737"
},
{
"name": "CVE-2018-10933",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10933"
},
{
"name": "CVE-2018-16658",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16658"
},
{
"name": "CVE-2018-0739",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-0739"
},
{
"name": "CVE-2018-10902",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10902"
},
{
"name": "CVE-2018-15594",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15594"
},
{
"name": "CVE-2018-16151",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16151"
},
{
"name": "CVE-2018-8039",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8039"
},
{
"name": "CVE-2018-1656",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1656"
},
{
"name": "CVE-2018-1671",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1671"
},
{
"name": "CVE-2018-2973",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-2973"
},
{
"name": "CVE-2018-6554",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-6554"
},
{
"name": "CVE-2018-1652",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1652"
},
{
"name": "CVE-2018-16842",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16842"
},
{
"name": "CVE-2018-17182",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17182"
},
{
"name": "CVE-2018-2964",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-2964"
},
{
"name": "CVE-2018-3139",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3139"
},
{
"name": "CVE-2018-15572",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15572"
},
{
"name": "CVE-2018-14609",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14609"
},
{
"name": "CVE-2018-3620",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3620"
},
{
"name": "CVE-2018-14618",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14618"
},
{
"name": "CVE-2018-16395",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16395"
},
{
"name": "CVE-2017-3732",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3732"
},
{
"name": "CVE-2017-3736",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3736"
},
{
"name": "CVE-2018-16056",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16056"
},
{
"name": "CVE-2018-3180",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3180"
},
{
"name": "CVE-2018-1900",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1900"
},
{
"name": "CVE-2018-14617",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14617"
},
{
"name": "CVE-2017-3735",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3735"
},
{
"name": "CVE-2018-16839",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16839"
},
{
"name": "CVE-2018-14633",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14633"
},
{
"name": "CVE-2018-14678",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14678"
},
{
"name": "CVE-2018-13099",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-13099"
},
{
"name": "CVE-2018-0732",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-0732"
},
{
"name": "CVE-2018-9516",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-9516"
},
{
"name": "CVE-2018-9363",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-9363"
},
{
"name": "CVE-2018-16152",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16152"
},
{
"name": "CVE-2018-10938",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10938"
},
{
"name": "CVE-2018-14734",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14734"
},
{
"name": "CVE-2016-0705",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-0705"
},
{
"name": "CVE-2018-1957",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1957"
},
{
"name": "CVE-2018-1654",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1654"
},
{
"name": "CVE-2018-0495",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-0495"
},
{
"name": "CVE-2018-18065",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18065"
},
{
"name": "CVE-2018-8013",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8013"
},
{
"name": "CVE-2018-12539",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12539"
},
{
"name": "CVE-2018-16276",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16276"
}
],
"initial_release_date": "2018-12-10T00:00:00",
"last_revision_date": "2018-12-11T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-589",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-12-10T00:00:00.000000"
},
{
"description": "Ajout de deux bulletins de s\u00e9curit\u00e9 IBM Lotus Protector",
"revision_date": "2018-12-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10732880 du 07 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10732880"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10739019 du 05 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10739019"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10744291 du 05 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10744291"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10744157 du 07 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10744157"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10739035 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10739035"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10744557 du 07 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10744557"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10739985 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10739985"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10740799 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10740799"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10743847 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10743847"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10736137 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10736137"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10742369 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10742369"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10739027 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10739027"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10744247 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10744247"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10744553 du 06 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10744553"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM ibm10740789 du 07 d\u00e9cembre 2018",
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10740789"
}
]
}
GSD-2018-3721
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-3721",
"description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"id": "GSD-2018-3721",
"references": [
"https://access.redhat.com/errata/RHSA-2021:3917"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-3721"
],
"details": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
"id": "GSD-2018-3721",
"modified": "2023-12-13T01:22:43.483326Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2018-3721",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lodash node module",
"version": {
"version_data": [
{
"version_value": "Versions before 4.17.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Modification of Assumed-Immutable Data (MAID) (CWE-471)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/310443",
"refsource": "MISC",
"url": "https://hackerone.com/reports/310443"
},
{
"name": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190919-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.17.5",
"affected_versions": "All versions before 4.17.5",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2019-10-03",
"description": "lodash node module suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of `Object` via `__proto__`, causing the addition or modification of an existing property that will exist on all objects.",
"fixed_versions": [
"4.17.5"
],
"identifier": "CVE-2018-3721",
"identifiers": [
"CVE-2018-3721"
],
"not_impacted": "All versions starting from 4.17.5",
"package_slug": "npm/lodash",
"pubdate": "2018-06-07",
"solution": "Upgrade to version 4.17.5 or above.",
"title": "Modification of Assumed-Immutable Data (MAID)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-3721"
],
"uuid": "d85c7e84-cd50-4829-85a4-7e0e69f1b396"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F1E3DEC7-ABF9-477C-82B8-1644C96BD7DF",
"versionEndExcluding": "4.17.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
"matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
"matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:system_manager:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0968FEE3-7685-4747-AEC0-DB6E0F35E256",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
},
{
"lang": "es",
"value": "El m\u00f3dulo de node lodash en versiones anteriores a la 4.17.5 se ve afectada por una vulnerabilidad MAID (modificaci\u00f3n de datos asumidos como asumible) mediante las funciones \"defaultsDeep\", \"merge\" y \"mergeWith\", lo que permite que un usuario malicioso modifique el prototipo de \"Object\" mediante __proto__, provocando la adici\u00f3n o modificaci\u00f3n de una propiedad existente que va a existir en todos los objetos."
}
],
"id": "CVE-2018-3721",
"lastModified": "2024-02-16T16:54:46.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-07T02:29:08.317",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/310443"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-471"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
}
]
}
}
}
}
FKIE_CVE-2018-3721
Vulnerability from fkie_nvd - Published: 2018-06-07 02:29 - Updated: 2024-11-21 04:05
Severity ?
Summary
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
References
| URL | Tags | ||
|---|---|---|---|
| support@hackerone.com | https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a | Patch | |
| support@hackerone.com | https://hackerone.com/reports/310443 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://security.netapp.com/advisory/ntap-20190919-0004/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/310443 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20190919-0004/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lodash | lodash | * | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | system_manager | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F1E3DEC7-ABF9-477C-82B8-1644C96BD7DF",
"versionEndExcluding": "4.17.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
"matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
"matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:system_manager:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0968FEE3-7685-4747-AEC0-DB6E0F35E256",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects."
},
{
"lang": "es",
"value": "El m\u00f3dulo de node lodash en versiones anteriores a la 4.17.5 se ve afectada por una vulnerabilidad MAID (modificaci\u00f3n de datos asumidos como asumible) mediante las funciones \"defaultsDeep\", \"merge\" y \"mergeWith\", lo que permite que un usuario malicioso modifique el prototipo de \"Object\" mediante __proto__, provocando la adici\u00f3n o modificaci\u00f3n de una propiedad existente que va a existir en todos los objetos."
}
],
"id": "CVE-2018-3721",
"lastModified": "2024-11-21T04:05:56.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-07T02:29:08.317",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/310443"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/310443"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190919-0004/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-471"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FVQR-27WR-82FM
Vulnerability from github – Published: 2018-07-26 15:14 – Updated: 2025-08-12 21:37
VLAI?
Summary
Prototype Pollution in lodash
Details
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.5 or later.
Severity ?
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lodash"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.17.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "lodash-rails"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.17.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3721"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:35:26Z",
"nvd_published_at": "2018-06-07T02:29:08Z",
"severity": "MODERATE"
},
"details": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are \u0027defaultsDeep\u0027, \u0027merge\u0027, and \u0027mergeWith\u0027 which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.",
"id": "GHSA-fvqr-27wr-82fm",
"modified": "2025-08-12T21:37:06Z",
"published": "2018-07-26T15:14:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/310443"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190919-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in lodash"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…