CVE-2019-10744 in Banking Extensibility Workbenchinfo

Summary

by MITRE

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/16/2021

The vulnerability identified as CVE-2019-10744 represents a critical prototype pollution flaw affecting lodash versions prior to 4.17.12. This issue stems from the improper handling of constructor properties within the defaultsDeep function, which allows attackers to manipulate the Object.prototype object through carefully crafted input payloads. The vulnerability manifests when the function processes objects containing constructor properties, enabling unauthorized modifications to the prototype chain that can have far-reaching consequences throughout the application's runtime environment.

The technical exploitation of this vulnerability occurs through a specific pattern where attacker-controlled data is passed to the defaultsDeep function, which then recursively merges properties from source objects into target objects. When the source object contains a constructor property, the function inadvertently propagates this property to the target object's prototype chain, effectively polluting the Object.prototype object itself. This occurs because the function does not properly validate or sanitize constructor properties during the deep merge operation, allowing malicious payloads to traverse the prototype hierarchy and modify fundamental object behaviors.

The operational impact of this prototype pollution vulnerability extends beyond simple property manipulation and can lead to severe security consequences including remote code execution, denial of service, and privilege escalation attacks. When Object.prototype is polluted, all objects in the JavaScript environment inherit the modified properties, potentially enabling attackers to manipulate core object behaviors, bypass security checks, or inject malicious code into the application's execution flow. The vulnerability is particularly dangerous in server-side environments where user input is processed through lodash functions, as it can be exploited to compromise entire applications or systems.

Organizations should immediately upgrade to lodash version 4.17.12 or later to remediate this vulnerability, as this release includes proper validation mechanisms that prevent constructor properties from being merged into prototype objects. Additional mitigations include implementing input sanitization measures, employing strict content security policies, and conducting thorough code reviews to identify other potential prototype pollution vectors within the application's codebase. This vulnerability aligns with CWE-471, which specifically addresses the issue of improper handling of prototype properties, and can be categorized under ATT&CK technique T1059.007 for script injection and T1211 for exploitation of vulnerabilities in third-party libraries. The remediation process should also include monitoring for any anomalous behavior that might indicate prototype pollution has occurred, as the effects of such pollution can be subtle and difficult to detect through conventional security scanning methods.

Reservation

04/03/2019

Moderation

accepted

Entry

2

Relate

show

CPE

ready

EPSS

0.05006

KEV

no

Activities

very low

Sector

Finance

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!