Vulnerability Name:

CVE-2019-1010266 (CCN-168402)

Assigned:2019-07-17
Published:2019-07-17
Updated:2020-09-30
Summary:lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-1010266

Source: XF
Type: UNKNOWN
lodash-cve20191010266-dos(168402)

Source: CCN
Type: Lodash GIT Repository
GitHub - lodash/lodash: A modern JavaScript utility library delivering modularity, performance

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://github.com/lodash/lodash/issues/3359

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://github.com/lodash/lodash/wiki/Changelog

Source: CCN
Type: NetApp Advisory Number NTAP-20190919-0004
September 2019 Lodash Vulnerabilities in NetApp Products

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190919-0004/

Source: MISC
Type: Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-LODASH-73639

Source: CCN
Type: IBM Security Bulletin 1164496 (Cloud Private)
A Security Vulnerability affects IBM Cloud Private - lodash (CVE-2019-1010266)

Source: CCN
Type: IBM Security Bulletin 6524700 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6574021 (Process Mining)
Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6598689 (Tivoli Netcool/OMNIbus WebGUI)
Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)

Source: CCN
Type: IBM Security Bulletin 6830017 (QRadar Pulse App)
QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-1010266

Vulnerable Configuration:Configuration 1:
  • cpe:/a:lodash:lodash:*:*:*:*:*:node.js:*:* (Version < 4.17.11)

    • Configuration CCN 1:
  • cpe:/a:lodash:lodash:*:*:*:*:*:node.js:*:*
  • AND
  • cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.0:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/omnibus_webgui:8.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.bionic:def:201910102660000000
    V
    		CVE-2019-1010266 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-07-17
    oval:com.ubuntu.xenial:def:201910102660000000
    V
    		CVE-2019-1010266 on Ubuntu 16.04 LTS (xenial) - untriaged.
    2019-07-17
    oval:com.ubuntu.disco:def:201910102660000000
    V
    		CVE-2019-1010266 on Ubuntu 19.04 (disco) - medium.
    2019-07-17
    BACK
    lodash lodash *
    lodash lodash *
    ibm mobilefirst platform foundation 8.0.0
    ibm cloud private 3.2.0 cd
    ibm cloud private 3.2.1 cd
    ibm cloud pak for security 1.7.2.0
    ibm planning analytics workspace 2.0
    ibm tivoli netcool/omnibus webgui 8.1.0