Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grunt-legacy-util giving old lodash version #1695

Open
saurav-nar opened this issue Oct 1, 2019 · 1 comment
Open

Grunt-legacy-util giving old lodash version #1695

saurav-nar opened this issue Oct 1, 2019 · 1 comment

Comments

@saurav-nar
Copy link

saurav-nar commented Oct 1, 2019
edited

I am using grunt v 1.0.3 which has transitive dependency as grunt-legacy-util version 1.1.1
under that it’s I see below dependency where I am expecting lodash version as 4.17.15 but,
I see as version 4.17.10 which is little old and vulnerable library .

Description from CVE : A prototype pollution vulnerability was found in lodash 4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Explanation : The lodash package is vulnerable to Prototype Pollution. The safeGet() function in the lodash.js file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).
The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.

Detection : The application is vulnerable by using the merge, mergeWith, or defaultsDeep functions in this component to process user-supplied JSON data.

so I want to get the latest version of 4.17.15 .please find the details of grunt-legacy-util 1.1.1 which i am currently observing

grunt-legacy-util": {

  "version": "1.1.1",

  "resolved": "http:xxxx/grunt-legacy-util/-/grunt-legacy-util-1.1.1.tgz",

  "integrity": "...==",

  "dev": true,

  "requires": {

    "async": "~1.5.2",

    "exit": "~0.1.1",

    "getobject": "~0.1.0",

    "hooker": "~0.2.3",

    "lodash": "~4.17.10",

    "underscore.string": "~3.3.4",

    "which": "~1.3.0"

  },
@silviuburceadev
Copy link

silviuburceadev commented Mar 19, 2021
edited

grunt 1.3.0 uses grunt-legacy-util ~2.0.0, which uses lodash ~4.17.20. You should update grunt and close this issue. (cc: @vladikoff)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silviuburceadev @saurav-nar