Search for packages
| purl | pkg:gem/lodash-rails@3.6.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-dzeb-zu9x-g3bq
Aliases: CVE-2019-10744 GHSA-jf85-cpcp-j695 |
Prototype Pollution in lodash Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. |
Affected by 0 other vulnerabilities. |
|
VCID-e3y9-r7uz-pkfg
Aliases: CVE-2020-28500 GHSA-29mw-wpgm-hmr9 |
Regular Expression Denial of Service (ReDoS) in lodash All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. Steps to reproduce (provided by reporter Liyuan Chen): ```js var lo = require('lodash'); function build_blank(n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0); var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1); var time2 = Date.now(); lo.trimEnd(s); var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2); ``` |
Affected by 0 other vulnerabilities. |
|
VCID-fhw1-4c1k-sfh3
Aliases: CVE-2021-23337 GHSA-35jh-r3h4-6jhm |
Command Injection in lodash `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function. |
Affected by 0 other vulnerabilities. |
|
VCID-s532-7mp1-kyeb
Aliases: CVE-2018-16487 GHSA-4xc9-xhrj-v574 |
Prototype Pollution in lodash Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. |
Affected by 4 other vulnerabilities. |
|
VCID-sxth-92xw-zbea
Aliases: CVE-2018-3721 GHSA-fvqr-27wr-82fm |
Prototype Pollution in lodash Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||