Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.03276
Percentile:
0.86646
CVSS Scoring
CVSS v3.1 Score: 7.4
Severity: HIGH
Mapped CWE(s)
-
CWE-1321
: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
-
CWE-770
: Allocation of Resources Without Limits or Throttling
All CAPEC(s)
-
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
-
CAPEC-125: Flooding
-
CAPEC-130: Excessive Allocation
-
CAPEC-147: XML Ping of the Death
-
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
-
CAPEC-197: Exponential Data Expansion
-
CAPEC-229: Serialized Data Parameter Blowup
-
CAPEC-230: Serialized Data with Nested Payloads
-
CAPEC-231: Oversized Serialized Data Payloads
-
CAPEC-469: HTTP DoS
-
CAPEC-482: TCP Flood
-
CAPEC-486: UDP Flood
-
CAPEC-487: ICMP Flood
-
CAPEC-488: HTTP Flood
-
CAPEC-489: SSL Flood
-
CAPEC-490: Amplification
-
CAPEC-491: Quadratic Data Expansion
-
CAPEC-493: SOAP Array Blowup
-
CAPEC-494: TCP Fragmentation
-
CAPEC-495: UDP Fragmentation
-
CAPEC-496: ICMP Fragmentation
-
CAPEC-528: XML Flood
-
CAPEC-77: Manipulating User-Controlled Variables
CAPEC(s) with Mapped TTPs
-
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
Mapped TTPs:
-
T1574.010
: Services File Permissions Weakness
-
CAPEC-125: Flooding
Mapped TTPs:
-
CAPEC-130: Excessive Allocation
Mapped TTPs:
-
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
Mapped TTPs:
-
T1574.010
: Services File Permissions Weakness
-
CAPEC-469: HTTP DoS
Mapped TTPs:
-
CAPEC-482: TCP Flood
Mapped TTPs:
-
CAPEC-488: HTTP Flood
Mapped TTPs:
-
CAPEC-489: SSL Flood
Mapped TTPs:
-
CAPEC-490: Amplification
Mapped TTPs:
-
CAPEC-528: XML Flood
Mapped TTPs:
Mapped ATT&CK TTPs
-
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
-
T1498.001
: Direct Network Flood
Kill Chain: impact
-
T1499
: Endpoint Denial of Service
Kill Chain: impact
-
T1499.003
: Application Exhaustion Flood
Kill Chain: impact
-
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
-
T1499.002
: Service Exhaustion Flood
Kill Chain: impact
-
T1498.001
: Direct Network Flood
Kill Chain: impact
-
T1499.001
: OS Exhaustion Flood
Kill Chain: impact
-
T1499.002
: Service Exhaustion Flood
Kill Chain: impact
-
T1499.002
: Service Exhaustion Flood
Kill Chain: impact
-
T1499.002
: Service Exhaustion Flood
Kill Chain: impact
-
T1498.002
: Reflection Amplification
Kill Chain: impact
-
T1499.002
: Service Exhaustion Flood
Kill Chain: impact
-
T1498.001
: Direct Network Flood
Kill Chain: impact
Malware
APTs Threat Group Associations
Campaigns
Affected Products
- cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_liquidity_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_liquidity_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_liquidity_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_border_controller:cz8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_router:cz8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_subscriber-aware_load_balancer:cz8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_communications_broker:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_communications_broker:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_communications_broker:pcz3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
← Back to Home