Vulnerabilities

 4 via 4 paths

Dependencies

 68

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 3
  • 1
Status
  • 4
  • 0
  • 0

high severity

Arbitrary Code Injection

  • Vulnerable module: lodash.template
  • Introduced through: gulp-util@3.0.8

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat gulp-util@3.0.8 lodash.template@3.6.2

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

Notes:

  1. Version 4.18.0 was intended to fix this vulnerability but it got deprecated due to introducing a breaking functionality issue.

  2. This issue is due to the incomplete fix for CVE-2021-23337.

Remediation

Upgrade lodash.template to version 4.18.1 or higher.

References

Arbitrary Code Injection vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: underscore
  • Introduced through: jsonlint@1.6.3

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat jsonlint@1.6.3 nomnom@1.8.1 underscore@1.6.0

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Uncontrolled Recursion through the _.flatten() or _.isEqual() functions that are used without a depth limit. An attacker can cause the application to crash or become unresponsive by supplying deeply nested data structures as input, leading to stack exhaustion.

Workaround

This vulnerability can be mitigated by enforcing a depth limit on data structures created from untrusted input (e.g., limiting nesting to 1000 levels or fewer), or by passing a finite depth limit as the second argument to the _.flatten() function.

Remediation

Upgrade underscore to version 1.13.8 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Code Injection

  • Vulnerable module: lodash.template
  • Introduced through: gulp-util@3.0.8

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat gulp-util@3.0.8 lodash.template@3.6.2

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in _.template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted, inherited properties may also be copied into the imports object and executed.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

Code Injection vulnerability report

medium severity

Arbitrary Code Injection

  • Vulnerable module: underscore
  • Introduced through: jsonlint@1.6.3

Detailed paths

  • Introduced through: gulp-json-concat@thedaviddias/gulp-json-concat jsonlint@1.6.3 nomnom@1.8.1 underscore@1.6.0

Overview

underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

PoC

const _ = require('underscore');
_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
const t = _.template("")();

Remediation

Upgrade underscore to version 1.13.0-2, 1.12.1 or higher.

References

Arbitrary Code Injection vulnerability report