-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High Vulnerabilities #1063
Comments
I have done a scan on Veracode and I have found some vulnerabilities similar to the above one. Component filemane: lodash Component filemane: y18n Component filemane: minimist Component filemane: minimist Component filemane: minimist Component filemane: ini Component filename: ejs |
One new CRITICAL vulnerability showed up with a new scan for the latest version (v1.0.2.post0), scanned on 6/24 at 9:30 AM CT: pkg:npm/lodash@4.17.15 |
I assume most of these vulnerabilities can be resolved with npm module upgrades? |
Hey, @dalekube ! Thanks to @nicholasrq, npm-related critical vulnerabilities have been fixed and are currently in the latest master branch. We're going to include these fixes in the upcoming 1.2 release, meanwhile it would be helpful if you could scan it again and check whether they have gone |
Thank you, @nicholasrq. It looks like some vulnerabilities were cleared. However, the critical vulnerability with lodash@4.17.15 still exists. There are 12 high and 1 critical vulnerabilities remaining. I am using Barista for the scanning, which passes all project and dependency code through the OWASP Dependency Check tool to gather published vulnerability information. pkg:npm/glob-parent@5.1.0 pkg:npm/ini@1.3.5 pkg:npm/lodash@4.17.15 pkg:npm/markdown@0.5.0 pkg:npm/minimist@0.0.10 pkg:npm/prismjs@1.19.0 pkg:npm/prismjs@1.19.0 pkg:npm/prismjs@1.19.0 pkg:npm/tar@4.4.8 pkg:npm/tar@4.4.8 pkg:npm/y18n@3.2.1 pkg:npm/y18n@3.2.1 pkg:npm/lodash@4.17.15 |
Excellent progress, @nicholasrq! I re-scanned the master branch and only three high vulnerabilities remain. The one critical vulnerability was resolved. pkg:npm/ini@1.3.5 pkg:npm/tar@4.4.8 pkg:npm/tar@4.4.8 |
@dalekube hey! took another round updating vulnerable packages. please, take a look on the progress. everything must be clear now |
@nicholasrq , thank you! I completed another scan. All that remains are 9 medium vulnerabilities. We are good to go on our end now considering that the critical and high vulnerabilities were properly accounted for. Thanks again for the updates! We will wait until the next release and then upgrade our instance with pip—and then begin to use the instance. |
This is connected to the issue critical vulnerabilities #851.
The latest OWASP scan considering version 1.0.2 reports 12 high vulnerabilities. The critical vulnerabilities were successfully accounted for with the previous issue and corresponding pull request. All of the high issues pertain to npm. The security team in my organization requires critical and high vulnerabilities to be non-existent for the approved use.
pkg:npm/ini@1.3.5
HIGH
CWE-471: Modification of Assumed-Immutable Data (MAID)
https://ossindex.sonatype.org/vulnerability/c08153de-a0ad-4212-963d-3de92eaab509?component-type=npm&component-name=ini&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly protect an assumed-immutable element from being modified by an attacker.
pkg:npm/lodash@4.17.15
HIGH
CVE-2021-23337
https://ossindex.sonatype.org/vulnerability/22d2fa1f-0b1d-4240-a4c0-9954a5dc9082?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
pkg:npm/lodash@4.17.15
high
1673
lodash
versions prior to 4.17.21 are vulnerable to Command Injection via the template function.pkg:npm/lodash@4.17.15
HIGH
CVE-2020-8203
https://ossindex.sonatype.org/vulnerability/8740216c-fea2-4998-a7c0-a687c35a2f92?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.
pkg:npm/lodash@4.17.15
HIGH
CWE-770: Allocation of Resources Without Limits or Throttling
https://ossindex.sonatype.org/vulnerability/eeedfb1c-6a5e-428c-bb17-c64b66f9eced?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor."
pkg:npm/lodash@4.17.20
HIGH
CVE-2021-23337
https://ossindex.sonatype.org/vulnerability/22d2fa1f-0b1d-4240-a4c0-9954a5dc9082?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
pkg:npm/lodash@4.17.20
high
1673
lodash
versions prior to 4.17.21 are vulnerable to Command Injection via the template function.pkg:npm/markdown@0.5.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/696b3c22-8fb1-4dde-8042-4691ae4107d6?component-type=npm&component-name=markdown&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."
pkg:npm/minimist@0.0.10
HIGH
CWE-94: Improper Control of Generation of Code ('Code Injection')
https://ossindex.sonatype.org/vulnerability/a0172c09-270c-4d3c-9816-564f20f372db?component-type=npm&component-name=minimist&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."
pkg:npm/prismjs@1.19.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/80928575-5fee-4f94-8bc6-48b2461442df?component-type=npm&component-name=prismjs&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."
pkg:npm/y18n@3.2.1
high
1654
"
y18n
before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); \/\/ true\n
"pkg:npm/y18n@3.2.1
HIGH
CWE-20: Improper Input Validation
https://ossindex.sonatype.org/vulnerability/ef4add6f-4439-4eb8-bd0e-d040ff4ba76b?component-type=npm&component-name=y18n&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
The text was updated successfully, but these errors were encountered: