You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using grunt v 1.0.3 which has transitive dependency as grunt-legacy-util version 1.1.1
under that it’s I see below dependency where I am expecting lodash version as 4.17.15 but,
I see as version 4.17.10 which is little old and vulnerable library .
Description from CVE : A prototype pollution vulnerability was found in lodash 4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Explanation : The lodash package is vulnerable to Prototype Pollution. The safeGet() function in the lodash.js file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).
The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.
Detection : The application is vulnerable by using the merge, mergeWith, or defaultsDeep functions in this component to process user-supplied JSON data.
so I want to get the latest version of 4.17.15 .please find the details of grunt-legacy-util 1.1.1 which i am currently observing
I am using grunt v 1.0.3 which has transitive dependency as grunt-legacy-util version 1.1.1
under that it’s I see below dependency where I am expecting lodash version as 4.17.15 but,
I see as version 4.17.10 which is little old and vulnerable library .
Description from CVE : A prototype pollution vulnerability was found in lodash 4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Explanation : The lodash package is vulnerable to Prototype Pollution. The safeGet() function in the lodash.js file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).
The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.
Detection : The application is vulnerable by using the merge, mergeWith, or defaultsDeep functions in this component to process user-supplied JSON data.
so I want to get the latest version of 4.17.15 .please find the details of grunt-legacy-util 1.1.1 which i am currently observing
grunt-legacy-util": {
The text was updated successfully, but these errors were encountered: