-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(security): force lodash > 4.17.20 - CVE-2020-8203 #1918
Labels
dependencies
Pull requests that update a dependency file
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
Comments
petermetz
added
dependencies
Pull requests that update a dependency file
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
labels
Mar 14, 2022
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Mar 14, 2022
TODO: Longer term we should take care to upgrade the top level dependencies instead (as patched releases become available) Fixes hyperledger-cacti#1918 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Mar 15, 2022
TODO: Longer term we should take care to upgrade the top level dependencies instead (as patched releases become available) Fixes hyperledger-cacti#1918 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Mar 15, 2022
TODO: Longer term we should take care to upgrade the top level dependencies instead (as patched releases become available) Fixes hyperledger-cacti#1918 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Mar 15, 2022
TODO: Longer term we should take care to upgrade the top level dependencies instead (as patched releases become available) Fixes hyperledger-cacti#1918 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Mar 15, 2022
TODO: Longer term we should take care to upgrade the top level dependencies instead (as patched releases become available) Fixes hyperledger-cacti#1918 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
that referenced
this issue
Mar 15, 2022
TODO: Longer term we should take care to upgrade the top level dependencies instead (as patched releases become available) Fixes #1918 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
dependencies
Pull requests that update a dependency file
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
Severity
High
7.4
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Weaknesses
CWE-770
CWE-1321
CVE ID
CVE-2020-8203
GHSA ID
GHSA-p6mc-m468-83gw
No security update is needed as lodash is no longer vulnerable
Dependabot hasn't attempted to update lodash as it's no longer vulnerable.
Package
Affected versions
Patched version
lodash
(npm)
< 4.17.20
4.17.20
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
The text was updated successfully, but these errors were encountered: