CVE-2021-23337 (High) detected in lodash-3.10.1.tgz, lodash-4.17.15.tgz #344

mend-for-jackfan.us.kg · 2021-12-07T12:01:19Z

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-4.17.15.tgz

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /samples/testing-frameworks/detox/react-native/package.json

Path to vulnerable library: /samples/testing-frameworks/detox/react-native/node_modules/xmlbuilder/node_modules/lodash/package.json

Dependency Hierarchy:

react-native-0.54.4.tgz (Root Library)
- plist-1.2.0.tgz
  - xmlbuilder-4.0.0.tgz
    - ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /samples/testing-frameworks/appium/server-side/javascript/webdriver.io/package.json

Path to vulnerable library: /samples/testing-frameworks/appium/server-side/javascript/webdriver.io/node_modules/lodash/package.json,/samples/testing-frameworks/appium/client-side/javascript/webdriver.io/node_modules/lodash/package.json

Dependency Hierarchy:

cli-5.16.7.tgz (Root Library)
- inquirer-7.0.0.tgz
  - ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 12af4f854b64888df6e4492ecc94e141388e939a

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (react-native): 0.56.0-rc

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@wdio/cli): 5.16.9

⛑️ Automatic Remediation is available for this issue

The text was updated successfully, but these errors were encountered:

stale · 2022-04-14T15:43:50Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

mend-for-jackfan.us.kg bot added the security vulnerability Security vulnerability detected by WhiteSource label Dec 7, 2021

mend-for-jackfan.us.kg bot mentioned this issue Dec 7, 2021

Update dependency lodash to 4.17.21 - autoclosed #362

Closed

1 task

mend-for-jackfan.us.kg bot mentioned this issue Feb 3, 2022

Update dependency react-native to ^0.68.1 #380

Open

1 task

mend-for-jackfan.us.kg bot mentioned this issue Mar 6, 2022

Update webdriverio monorepo - autoclosed #389

Closed

1 task

stale bot added the closing label Apr 14, 2022

stale bot closed this as completed Apr 28, 2022

mend-for-jackfan.us.kg bot mentioned this issue May 2, 2022

Update webdriverio monorepo to v7 (major) #381

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-23337 (High) detected in lodash-3.10.1.tgz, lodash-4.17.15.tgz #344

CVE-2021-23337 (High) detected in lodash-3.10.1.tgz, lodash-4.17.15.tgz #344

mend-for-jackfan.us.kg bot commented Dec 7, 2021 •

edited

Loading

stale bot commented Apr 14, 2022

CVE-2021-23337 (High) detected in lodash-3.10.1.tgz, lodash-4.17.15.tgz #344

CVE-2021-23337 (High) detected in lodash-3.10.1.tgz, lodash-4.17.15.tgz #344

Comments

mend-for-jackfan.us.kg bot commented Dec 7, 2021 • edited Loading

CVE-2021-23337 - High Severity Vulnerability

stale bot commented Apr 14, 2022

mend-for-jackfan.us.kg bot commented Dec 7, 2021 •

edited

Loading