Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current release of @vue/cli-service is affected by CVE-2021-23362 Command Injection #6462

Closed
undergroundwires opened this issue May 7, 2021 · 1 comment
Closed

Current release of @vue/cli-service is affected by CVE-2021-23362 Command Injection #6462

undergroundwires opened this issue May 7, 2021 · 1 comment

Comments

@undergroundwires
Copy link

undergroundwires commented May 7, 2021
edited
Loading

Version

4.5.11

Environment info

Environment Info:

  System:
    OS: macOS 11.2.3
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 14.1.0 - /usr/local/bin/node
    Yarn: Not Found
    npm: 7.11.2 - /usr/local/bin/npm
  Browsers:
    Chrome: Not Found
    Edge: Not Found
    Firefox: 88.0
    Safari: 14.0.3
  npmPackages:
    @fortawesome/vue-fontawesome: ^2.0.2 => 2.0.2 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.3 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.11 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.11 
    @vue/cli-plugin-babel: ^4.5.11 => 4.5.11 
    @vue/cli-plugin-router:  4.5.11 
    @vue/cli-plugin-typescript: ^4.5.11 => 4.5.11 
    @vue/cli-plugin-unit-mocha: ^4.5.11 => 4.5.11 
    @vue/cli-plugin-vuex:  4.5.11 
    @vue/cli-service: ^4.5.11 => 4.5.11 
    @vue/cli-shared-utils:  4.5.11 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/test-utils: 1.1.3 => 1.1.3 
    @vue/web-component-wrapper:  1.3.0 
    typescript: ^4.2.3 => 4.2.3 
    vue: ^2.6.12 => 2.6.12 
    vue-class-component: ^7.2.6 => 7.2.6 
    vue-cli-plugin-electron-builder: ^2.0.0-rc.6 => 2.0.0-rc.6 
    vue-cli-webpack:  1.0.0 
    vue-hot-reload-api:  2.3.4 
    vue-js-modal: ^2.0.0-rc.6 => 2.0.0-rc.6 
    vue-loader:  15.9.6 (16.2.0)
    vue-property-decorator: ^9.1.2 => 9.1.2 
    vue-resize:  1.0.0 
    vue-style-loader:  4.1.2 
    vue-template-compiler: ^2.6.12 => 2.6.12 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:

Steps to reproduce

  • Clone any repo (I tested on privacy.sexy
  • Run npm install
  • Run npm audit

What is expected?

No vulnerabilities from loadash

What is actually happening?

npm audit is failing because of vulnerable loadash dependencies

https://npmjs.com/advisories/1673
https://nvd.nist.gov/vuln/detail/CVE-2021-23337
@undergroundwires
Copy link
Author

Resolved in 4.15.12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@undergroundwires