*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Mike Salvatore (mikesalvatore):
from https://snyk.io/vuln/npm:deep-extend:20180409 : deep-extend "all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function." This is verifiably true on at least bionic/18.04, given the PoC listed in the above URL, but since it's the same deep-extend for all the way up to debian sid, it's probably the same for all versions. The following commit apparently fixes this: (though I haven't verified that) https://github.com/unclechu/node-deep- extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f ** Affects: node-deep-extend (Ubuntu) Importance: Undecided Status: New ** Tags: bionic disco -- CVE-2018-3750: Prototype Pollution https://bugs.launchpad.net/bugs/1823574 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
