forked from hmcts/rpx-xui-webapp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathyarn-audit-known-issues
13 lines (13 loc) · 24.9 KB
/
yarn-audit-known-issues
1
2
3
4
5
6
7
8
9
10
11
12
13
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-27T05:07:54.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089058,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-02-01T05:02:18.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1090101,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-02-28T22:27:17.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091185,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"}}}
{"type":"auditAdvisory","data":{"advisory":{"findings":[{"version":"3.10.1","paths":["lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"}}}