Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
| Link | Tags |
|---|---|
| https://hackerone.com/reports/712065 | third party advisory exploit |
| https://www.oracle.com/security-alerts/cpuApr2021.html | third party advisory patch |
| https://security.netapp.com/advisory/ntap-20200724-0006/ | third party advisory |
| https://github.com/lodash/lodash/issues/4874 | issue tracking vendor advisory |
| https://www.oracle.com//security-alerts/cpujul2021.html | third party advisory patch |
| https://www.oracle.com/security-alerts/cpuoct2021.html | third party advisory patch |
| https://www.oracle.com/security-alerts/cpujan2022.html | third party advisory patch |
| https://www.oracle.com/security-alerts/cpuapr2022.html | third party advisory patch |