Vulnerabilities

 2 via 2 paths

Dependencies

 68

Source

 GitHub

Commit

 a64b3731

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Code Injection

  • Vulnerable module: lodash.template
  • Introduced through: gulp-util@3.0.8

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat#a64b37311bb0cf7747176e15f885c204d8a032df gulp-util@3.0.8 lodash.template@3.6.2

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Code Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

Code Injection vulnerability report

medium severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: jsonlint@1.6.3

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat#a64b37311bb0cf7747176e15f885c204d8a032df jsonlint@1.6.3 nomnom@1.8.1 underscore@1.6.0

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References

Arbitrary Code Injection vulnerability report