CVE-2019-10744: Input Validation
First published: Wed Jul 10 2019(Updated: )
A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
Credit: report@snyk.io report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jaeger | <0:v1.13.1.redhat7-1.el7 | 0:v1.13.1.redhat7-1.el7 |
| redhat/kiali | <0:v1.0.11.redhat1-1.el7 | 0:v1.0.11.redhat1-1.el7 |
| redhat/servicemesh-grafana | <0:6.2.2-36.el8 | 0:6.2.2-36.el8 |
| redhat/ovirt-web-ui | <0:1.6.0-1.el7e | 0:1.6.0-1.el7e |
| redhat/lodash | <4.17.12 | 4.17.12 |
| npm/lodash.defaultsdeep | <4.6.1 | 4.6.1 |
| npm/lodash-amd | <4.17.13 | 4.17.13 |
| npm/lodash-es | <4.17.14 | 4.17.14 |
| npm/lodash | <4.17.12 | 4.17.12 |
| Lodash Lodash Node.js | <4.17.12 | |
| NetApp Service Level Manager | ||
| Redhat Virtualization Manager | =4.3 | |
| Oracle Banking Extensibility Workbench | =14.3.0 | |
| Oracle Banking Extensibility Workbench | =14.4.0 | |
| F5 BIG-IP Access Policy Manager | >=12.1.0<12.1.5.2 | |
| F5 BIG-IP Access Policy Manager | >=13.1.0<13.1.3.4 | |
| F5 BIG-IP Access Policy Manager | >=14.1.0<14.1.2.5 | |
| F5 BIG-IP Access Policy Manager | >=15.0.0<15.0.1.4 | |
| F5 BIG-IP Access Policy Manager | >=15.1.0<15.1.0.2 | |
| F5 BIG-IP Advanced Firewall Manager | >=12.1.0<12.1.5.2 | |
| F5 BIG-IP Advanced Firewall Manager | >=13.1.0<13.1.3.4 | |
| F5 BIG-IP Advanced Firewall Manager | >=14.1.0<14.1.2.5 | |
| F5 BIG-IP Advanced Firewall Manager | >=15.0.0<15.0.1.4 | |
| F5 BIG-IP Advanced Firewall Manager | >=15.1.0<15.1.0.2 | |
| F5 BIG-IP Analytics | >=12.1.0<=12.1.5 | |
| F5 BIG-IP Analytics | >=13.1.0<=13.1.3 | |
| F5 BIG-IP Analytics | >=14.1.0<=14.1.2 | |
| F5 BIG-IP Analytics | >=15.0.0<15.0.1.3 | |
| F5 BIG-IP Analytics | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Application Acceleration Manager | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Application Acceleration Manager | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Application Acceleration Manager | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Application Acceleration Manager | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Application Acceleration Manager | >=15.1.0<15.1.0.2 | |
| F5 BIG-IP Application Security Manager | >=12.1.0<12.1.5.2 | |
| F5 BIG-IP Application Security Manager | >=13.1.0<13.1.3.4 | |
| F5 BIG-IP Application Security Manager | >=14.1.0<14.1.2.5 | |
| F5 BIG-IP Application Security Manager | >=15.0.0<15.0.1.4 | |
| F5 BIG-IP Application Security Manager | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Application Visibility And Reporting | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Application Visibility And Reporting | >=13.1.0<=13.1.3 | |
| F5 Big-ip Application Visibility And Reporting | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Application Visibility And Reporting | >=15.1.0<15.1.1 | |
| F5 Big-ip Domain Name System | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Domain Name System | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Domain Name System | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Domain Name System | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Domain Name System | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Edge Gateway | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Edge Gateway | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Edge Gateway | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Edge Gateway | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Edge Gateway | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Fraud Protection Service | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Fraud Protection Service | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Fraud Protection Service | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Fraud Protection Service | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Fraud Protection Service | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Global Traffic Manager | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Global Traffic Manager | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Global Traffic Manager | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Global Traffic Manager | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Global Traffic Manager | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Link Controller | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Link Controller | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Link Controller | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Link Controller | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Link Controller | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Local Traffic Manager | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Local Traffic Manager | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Local Traffic Manager | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Local Traffic Manager | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Local Traffic Manager | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Policy Enforcement Manager | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Policy Enforcement Manager | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Policy Enforcement Manager | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Policy Enforcement Manager | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Policy Enforcement Manager | >=15.1.0<15.1.0.2 | |
| F5 Big-ip Webaccelerator | >=12.1.0<12.1.5.2 | |
| F5 Big-ip Webaccelerator | >=13.1.0<13.1.3.4 | |
| F5 Big-ip Webaccelerator | >=14.1.0<14.1.2.5 | |
| F5 Big-ip Webaccelerator | >=15.0.0<15.0.1.4 | |
| F5 Big-ip Webaccelerator | >=15.1.0<15.1.0.2 | |
| F5 BIG-IQ Centralized Management | >=6.0.0<=6.1.0 | |
| F5 BIG-IQ Centralized Management | =5.4.0 | |
| F5 BIG-IQ Centralized Management | =7.0.0 | |
| F5 iWorkflow | =2.3.0 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/lodash/lodash/pull/4336
- https://nvd.nist.gov/vuln/detail/CVE-2019-10744
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://www.npmjs.com/advisories/1065
- https://access.redhat.com/errata/RHSA-2019:3024
- https://security.netapp.com/advisory/ntap-20191004-0005/
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://github.com/advisories/GHSA-jf85-cpcp-j695 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/167415
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS
- https://github.com/lodash/lodash/issues/4348
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739502
- https://access.redhat.com/security/cve/cve-2019-10744
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739497#c9
- https://access.redhat.com/errata/RHSA-2020:2362
- https://access.redhat.com/errata/RHSA-2020:2819
- https://www.elastic.co/community/security
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2022:5101
- https://bugzilla.redhat.com/show_bug.cgi?id=1739497
- https://www.cve.org/CVERecord?id=CVE-2019-10744 https://nvd.nist.gov/vuln/detail/CVE-2019-10744
- https://access.redhat.com/security/cve/CVE-2019-10744
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-10744?
CVE-2019-10744 is a vulnerability known as Prototype Pollution that affects versions of lodash before 4.17.12.
How does CVE-2019-10744 affect lodash?
CVE-2019-10744 allows a malicious user to modify the prototype of Object via defaultsDeep in lodash, leading to the addition or modification of properties that will exist on all objects.
What is the severity rating of CVE-2019-10744?
CVE-2019-10744 has a critical severity rating.
Which software versions are affected by CVE-2019-10744?
Versions of lodash lower than 4.17.12 are affected by CVE-2019-10744.
How can I fix CVE-2019-10744?
To fix CVE-2019-10744, update lodash to version 4.17.12 or higher.
- collector/redhat-cve
- collector/ibm-support
- agent/type
- agent/first-publish-date
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10744
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/author
- agent/weakness
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jf85-cpcp-j695
- agent/last-modified-date
- collector/github-advisory
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/redhat
- package-manager/npm
- vendor/lodash
- canonical/lodash lodash node.js
- vendor/netapp
- canonical/netapp service level manager
- vendor/redhat
- canonical/redhat virtualization manager
- version/redhat virtualization manager/4.3
- vendor/oracle
- canonical/oracle banking extensibility workbench
- version/oracle banking extensibility workbench/14.3.0
- version/oracle banking extensibility workbench/14.4.0
- vendor/f5
- canonical/f5 big-ip access policy manager
- version/f5 big-ip access policy manager/12.1.0
- version/f5 big-ip access policy manager/13.1.0
- version/f5 big-ip access policy manager/14.1.0
- version/f5 big-ip access policy manager/15.0.0
- version/f5 big-ip access policy manager/15.1.0
- canonical/f5 big-ip advanced firewall manager
- version/f5 big-ip advanced firewall manager/12.1.0
- version/f5 big-ip advanced firewall manager/13.1.0
- version/f5 big-ip advanced firewall manager/14.1.0
- version/f5 big-ip advanced firewall manager/15.0.0
- version/f5 big-ip advanced firewall manager/15.1.0
- canonical/f5 big-ip analytics
- version/f5 big-ip analytics/12.1.0
- version/f5 big-ip analytics/12.1.5
- version/f5 big-ip analytics/13.1.0
- version/f5 big-ip analytics/13.1.3
- version/f5 big-ip analytics/14.1.0
- version/f5 big-ip analytics/14.1.2
- version/f5 big-ip analytics/15.0.0
- version/f5 big-ip analytics/15.1.0
- canonical/f5 big-ip application acceleration manager
- version/f5 big-ip application acceleration manager/12.1.0
- version/f5 big-ip application acceleration manager/13.1.0
- version/f5 big-ip application acceleration manager/14.1.0
- version/f5 big-ip application acceleration manager/15.0.0
- version/f5 big-ip application acceleration manager/15.1.0
- canonical/f5 big-ip application security manager
- version/f5 big-ip application security manager/12.1.0
- version/f5 big-ip application security manager/13.1.0
- version/f5 big-ip application security manager/14.1.0
- version/f5 big-ip application security manager/15.0.0
- version/f5 big-ip application security manager/15.1.0
- canonical/f5 big-ip application visibility and reporting
- version/f5 big-ip application visibility and reporting/12.1.0
- version/f5 big-ip application visibility and reporting/13.1.0
- version/f5 big-ip application visibility and reporting/13.1.3
- version/f5 big-ip application visibility and reporting/14.1.0
- version/f5 big-ip application visibility and reporting/15.1.0
- canonical/f5 big-ip domain name system
- version/f5 big-ip domain name system/12.1.0
- version/f5 big-ip domain name system/13.1.0
- version/f5 big-ip domain name system/14.1.0
- version/f5 big-ip domain name system/15.0.0
- version/f5 big-ip domain name system/15.1.0
- canonical/f5 big-ip edge gateway
- version/f5 big-ip edge gateway/12.1.0
- version/f5 big-ip edge gateway/13.1.0
- version/f5 big-ip edge gateway/14.1.0
- version/f5 big-ip edge gateway/15.0.0
- version/f5 big-ip edge gateway/15.1.0
- canonical/f5 big-ip fraud protection service
- version/f5 big-ip fraud protection service/12.1.0
- version/f5 big-ip fraud protection service/13.1.0
- version/f5 big-ip fraud protection service/14.1.0
- version/f5 big-ip fraud protection service/15.0.0
- version/f5 big-ip fraud protection service/15.1.0
- canonical/f5 big-ip global traffic manager
- version/f5 big-ip global traffic manager/12.1.0
- version/f5 big-ip global traffic manager/13.1.0
- version/f5 big-ip global traffic manager/14.1.0
- version/f5 big-ip global traffic manager/15.0.0
- version/f5 big-ip global traffic manager/15.1.0
- canonical/f5 big-ip link controller
- version/f5 big-ip link controller/12.1.0
- version/f5 big-ip link controller/13.1.0
- version/f5 big-ip link controller/14.1.0
- version/f5 big-ip link controller/15.0.0
- version/f5 big-ip link controller/15.1.0
- canonical/f5 big-ip local traffic manager
- version/f5 big-ip local traffic manager/12.1.0
- version/f5 big-ip local traffic manager/13.1.0
- version/f5 big-ip local traffic manager/14.1.0
- version/f5 big-ip local traffic manager/15.0.0
- version/f5 big-ip local traffic manager/15.1.0
- canonical/f5 big-ip policy enforcement manager
- version/f5 big-ip policy enforcement manager/12.1.0
- version/f5 big-ip policy enforcement manager/13.1.0
- version/f5 big-ip policy enforcement manager/14.1.0
- version/f5 big-ip policy enforcement manager/15.0.0
- version/f5 big-ip policy enforcement manager/15.1.0
- canonical/f5 big-ip webaccelerator
- version/f5 big-ip webaccelerator/12.1.0
- version/f5 big-ip webaccelerator/13.1.0
- version/f5 big-ip webaccelerator/14.1.0
- version/f5 big-ip webaccelerator/15.0.0
- version/f5 big-ip webaccelerator/15.1.0
- canonical/f5 big-iq centralized management
- version/f5 big-iq centralized management/6.0.0
- version/f5 big-iq centralized management/6.1.0
- version/f5 big-iq centralized management/5.4.0
- version/f5 big-iq centralized management/7.0.0
- canonical/f5 iworkflow
- version/f5 iworkflow/2.3.0
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows