Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability : CVE-2019-19919 - Prototype Pollution #2171

Closed
Tracked by #2151
Dorota-MB opened this issue May 10, 2021 · 1 comment
Closed
Tracked by #2151

Security Vulnerability : CVE-2019-19919 - Prototype Pollution #2171

Dorota-MB opened this issue May 10, 2021 · 1 comment
Assignees
@mdebarros
Labels
oss-core This is an issue - story or epic related to a feature on a Mojaloop core service or related to it story
Milestone
Sprint 14.3

Comments

@Dorota-MB
Copy link

Summary:
lodash package, versions inferior to 4.17.20 are vulnerable to Prototype Pollution in zipObjectDeep due to an incomplete fix for CVE-2020-8203

Severity:
Medium

Priority:
High

Expected Behavior
Upgrade lodash to version 4.17.20 or higher.

Steps to Reproduce
N/A

Specifications

  • Component (if known):
  • Version: Related to lodash package, versions <4.17.20.
  • Platform: Mowali
  • Subsystem:
  • Type of testing:
  • Bug found/raised by: Mowali

Notes:

  • Severity when opened:
  • Priority when opened:
    image
@Dorota-MB Dorota-MB added the bug Something isn't working or it has wrong behavior on a Mojaloop Core service label May 10, 2021
@elnyry-sam-k elnyry-sam-k added story oss-core This is an issue - story or epic related to a feature on a Mojaloop core service or related to it and removed bug Something isn't working or it has wrong behavior on a Mojaloop Core service labels May 10, 2021
@elnyry-sam-k elnyry-sam-k added this to the Sprint 14.3 milestone May 31, 2021
@mdebarros mdebarros self-assigned this May 31, 2021
@mdebarros
Copy link
Member

mdebarros commented Jun 1, 2021
edited
Loading

This issue has been fixed in the v11.5.0 release: https://github.com/mojaloop/account-lookup-service/releases/tag/v11.5.0

Snyk Remediation recommends that lodash is upgraded to version 4.17.20 or higher:
https://snyk.io/vuln/SNYK-JS-LODASH-590103.

As per the following dependency tree for v11.5.0 release, all version for lodash meet this requirement:

$ npm ls lodash

account-lookup-service@11.4.0 /.../mojaloop/git/account-lookup-service
├─┬ @mojaloop/central-services-database@10.7.0
│ ├─┬ knex@0.95.5
│ │ └── lodash@4.17.21  deduped
│ └── lodash@4.17.21 
├─┬ @mojaloop/central-services-error-handling@11.3.0
│ └── lodash@4.17.21 
├─┬ @mojaloop/central-services-shared@13.0.1
│ ├─┬ data-urls@2.0.0
│ │ └─┬ whatwg-url@8.5.0
│ │   └── lodash@4.17.20  deduped
│ ├── lodash@4.17.21 
│ ├─┬ openapi-backend@3.9.2
│ │ ├── lodash@4.17.20 
│ │ └─┬ mock-json-schema@1.0.8
│ │   └── lodash@4.17.20  deduped
│ └─┬ shins@2.6.0
│   └─┬ sanitize-html@1.27.5
│     └── lodash@4.17.20  deduped
├─┬ UNMET PEER DEPENDENCY @mojaloop/event-sdk@10.7.1
│ └── lodash@4.17.21 
├─┬ jest@27.0.1
│ └─┬ @jest/core@27.0.1
│   └─┬ jest-snapshot@27.0.1
│     ├─┬ @babel/traverse@7.12.13
│     │ └── lodash@4.17.20  deduped
│     └─┬ @babel/types@7.12.13
│       └── lodash@4.17.20  deduped
├─┬ jsdoc@3.6.7
│ ├─┬ catharsis@0.9.0
│ │ └── lodash@4.17.20  deduped
│ └─┬ requizzle@0.2.3
│   └── lodash@4.17.20  deduped
├─┬ knex@0.95.6
│ └── lodash@4.17.21 
├─┬ npm-check-updates@11.5.13
│ └── lodash@4.17.21 
├─┬ nyc@15.1.0
│ └─┬ istanbul-lib-instrument@4.0.3
│   └─┬ @babel/core@7.12.13
│     ├─┬ @babel/helper-module-transforms@7.12.13
│     │ └── lodash@4.17.20  deduped
│     └── lodash@4.17.20  deduped
├─┬ request-promise-native@1.0.9
│ └─┬ request-promise-core@1.1.4
│   └── lodash@4.17.20  deduped
├─┬ standard@16.0.3
│ └─┬ eslint@7.13.0
│   ├─┬ @eslint/eslintrc@0.2.2
│   │ └── lodash@4.17.20  deduped
│   ├── lodash@4.17.20  deduped
│   └─┬ table@5.4.6
│     └── lodash@4.17.20  deduped
└─┬ standard-version@9.3.0
  ├─┬ conventional-changelog@3.1.24
  │ └─┬ conventional-changelog-core@4.2.2
  │   ├─┬ conventional-changelog-writer@4.1.0
  │   │ └── lodash@4.17.20  deduped
  │   └── lodash@4.17.20  deduped
  ├─┬ conventional-changelog-conventionalcommits@4.5.0
  │ └── lodash@4.17.20  deduped
  └─┬ conventional-recommended-bump@6.1.0
    ├─┬ conventional-commits-parser@3.2.1
    │ └── lodash@4.17.20  deduped
    └─┬ git-raw-commits@2.0.10
      └── lodash@4.17.20  deduped

@mdebarros mdebarros mentioned this issue Jun 1, 2021
Closed
@mdebarros mdebarros mentioned this issue Jun 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mdebarros mdebarros

Labels
oss-core This is an issue - story or epic related to a feature on a Mojaloop core service or related to it story
Projects
None yet
Milestone
Sprint 14.3
Development

No branches or pull requests
3 participants
@elnyry-sam-k @mdebarros @Dorota-MB