Vulnerability CVE-2019-10744 found in lodash package.
CVEID:CVE-2019-10744
**DESCRIPTION:**Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM PowerAI | 1.5.4 |
IBM PowerAI | 1.6.0 |
Watson Machine Learning Community Edition | 1.6.1 |
Watson Machine Learning Community Edition | 1.6.2 |
Watson Machine Learning Accelerator | 1.1.2 |
Note : The product was renamed after the 1.6.0 version.
For IBM PowerAI 1.5.4 and Watson Machine Learning Accelerator 1.1.2:
Install instructions: <https://www.ibm.com/support/pages/node/1135077>
For IBM PowerAI 1.6.0 andWatson Machine Learning Community Edition 1.6.1 :
Upgrade to WML CE 1.6.2, which includes the fixes. See <https://www.ibm.com/support/knowledgecenter/SS5SF7> for upgrading instructions.
ForWatson Machine Learning Community Edition 1.6.2 :
For installing WML CE from scratch
New installations of WML CE include all security fixes. See <https://www.ibm.com/support/knowledgecenter/SS5SF7> for installation instructions.
It is recommended to keep packages up to date. To update all packages to the latest versions use:
conda update --all
To update individual packages, use the package name:
conda update tensorboard
If you have previously installed WML CE using the powerai
meta-package, you can also use that to update to the latest packages.
conda update powerai
None