CVE-2019-10744 — CRITICAL (9.1)

Q: How severe is CVE-2019-10744?

CVE-2019-10744 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-10744?

Check the references section above for vendor advisories and patch information. Affected products include: Lodash Lodash, Netapp Active Iq Unified Manager, Netapp Service Level Manager, Redhat Virtualization Manager, Oracle Banking Extensibility Workbench.

Vulnerability Description

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lodash	Lodash	< 4.17.12
Netapp	Active Iq Unified Manager	-
Netapp	Service Level Manager	-
Redhat	Virtualization Manager	4.3
Oracle	Banking Extensibility Workbench	14.3.0
F5	Big-Ip Access Policy Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Advanced Firewall Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Analytics	>= 12.1.0, <= 12.1.5
F5	Big-Ip Application Acceleration Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Application Security Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Application Visibility And Reporting	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Domain Name System	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Edge Gateway	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Fraud Protection Service	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Global Traffic Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Link Controller	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Local Traffic Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Policy Enforcement Manager	>= 12.1.0, < 12.1.5.2
F5	Big-Ip Webaccelerator	>= 12.1.0, < 12.1.5.2
F5	Big-Iq Centralized Management	>= 6.0.0, <= 6.1.0

Related Weaknesses (CWE)

CWE-1321

References

https://access.redhat.com/errata/RHSA-2019:3024Third Party Advisory
https://security.netapp.com/advisory/ntap-20191004-0005/Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-450202ExploitThird Party Advisory
https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_mediThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:3024Third Party Advisory
https://security.netapp.com/advisory/ntap-20191004-0005/Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-450202ExploitThird Party Advisory
https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_mediThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory

FAQ

What is CVE-2019-10744?

CVE-2019-10744 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payl...

How severe is CVE-2019-10744?

CVE-2019-10744 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-10744?

Check the references section above for vendor advisories and patch information. Affected products include: Lodash Lodash, Netapp Active Iq Unified Manager, Netapp Service Level Manager, Redhat Virtualization Manager, Oracle Banking Extensibility Workbench.