Lucene search

DwfCVE-2019-1010266

HistoryJul 17, 2019 - 9:15 p.m.

CVE-2019-1010266

2019-07-1721:15:10

CWE-770

CWE-400

dwf

web.nvd.nist.gov

cve-2019-1010266

lodash

4.17.11

cwe-400

uncontrolled resource consumption

denial of service

date handler

attacker

regular expression

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.004

Percentile

73.8%

JSON

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Affected configurations

Nvd

Node

lodashlodashRange<4.17.11node.js

VendorProductVersionCPE
lodashlodash*cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
lodash	lodash	*	cpe:2.3:a:lodash:lodash::::::node.js::*

CNA Affected

[
  {
    "product": "lodash",
    "vendor": "lodash",
    "versions": [
      {
        "status": "affected",
        "version": "<4.17.11 [fixed: 4.7.11]"
      }
    ]
  }
]