RubyGems package
lodash-rails
pkg:gem/lodash-rails
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-23337 | — | < 4.17.21 | 4.17.21 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | ||
| CVE-2020-28500 | — | >= 4.0.0, < 4.17.21 | 4.17.21 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | ||
| CVE-2020-8203 | — | >= 3.7.0, < 4.17.19 | 4.17.19 | Jul 15, 2020 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||
| CVE-2019-10744 | — | < 4.17.12 | 4.17.12 | Jul 25, 2019 | Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. | ||
| CVE-2019-1010266 | — | >= 4.7.0, < 4.17.11 | 4.17.11 | Jul 17, 2019 | lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fix | ||
| CVE-2018-16487 | — | < 4.17.11 | 4.17.11 | Feb 1, 2019 | A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. | ||
| CVE-2018-3721 | — | < 4.17.5 | 4.17.5 | Jun 7, 2018 | lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of a |
- CVE-2021-23337Feb 15, 2021affected < 4.17.21fixed 4.17.21
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
- CVE-2020-28500Feb 15, 2021affected >= 4.0.0, < 4.17.21fixed 4.17.21
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
- CVE-2020-8203Jul 15, 2020affected >= 3.7.0, < 4.17.19fixed 4.17.19
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
- CVE-2019-10744Jul 25, 2019affected < 4.17.12fixed 4.17.12
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
- CVE-2019-1010266Jul 17, 2019affected >= 4.7.0, < 4.17.11fixed 4.17.11
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fix
- CVE-2018-16487Feb 1, 2019affected < 4.17.11fixed 4.17.11
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
- CVE-2018-3721Jun 7, 2018affected < 4.17.5fixed 4.17.5
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of a