Update dependency lodash [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
lodash (source)	4.17.4 → 4.17.21
lodash (source)	^3.5.0 → ^4.0.0
lodash (source)	^3.9.0 → ^4.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Prototype Pollution in lodash

CVE-2019-10744 / GHSA-jf85-cpcp-j695

More information

Details

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

• https://github.com/lodash/lodash/pull/4336
• https://nvd.nist.gov/vuln/detail/CVE-2019-10744
• https://snyk.io/vuln/SNYK-JS-LODASH-450202
• https://access.redhat.com/errata/RHSA-2019:3024
• https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS
• https://security.netapp.com/advisory/ntap-20191004-0005
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml
• https://github.com/advisories/GHSA-jf85-cpcp-j695

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in lodash

CVE-2018-16487 / GHSA-4xc9-xhrj-v574

More information

Details

Versions of lodash before 4.17.11 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

Severity

High

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-16487
• https://hackerone.com/reports/380873
• https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad
• https://security.netapp.com/advisory/ntap-20190919-0004
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml
• https://github.com/advisories/GHSA-4xc9-xhrj-v574

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in lodash

CVE-2018-3721 / GHSA-fvqr-27wr-82fm

More information

Details

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-3721
• https://hackerone.com/reports/310443
• https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
• https://security.netapp.com/advisory/ntap-20190919-0004
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml
• https://github.com/advisories/GHSA-fvqr-27wr-82fm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Command Injection in lodash

CVE-2021-23337 / GHSA-35jh-r3h4-6jhm

More information

Details

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Severity

• CVSS Score: 7.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-23337
• https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
• https://snyk.io/vuln/SNYK-JS-LODASH-1040724
• https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851
• https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
• https://security.netapp.com/advisory/ntap-20210312-0006
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml
• https://github.com/advisories/GHSA-35jh-r3h4-6jhm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

lodash/lodash (lodash)

v4.17.21

Compare Source

v4.17.20

Compare Source

v4.17.19

v4.17.16

Compare Source

v4.17.15

Compare Source

v4.17.14

Compare Source

v4.17.13

Compare Source

v4.17.12

Compare Source

v4.17.11

Compare Source

v4.17.10

Compare Source

v4.17.9

Compare Source

v4.17.5

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.