Sonatype shows a new critical security violation.

[RJWerning]

As of yesterday, Sonatype is showing the following as a critical security issue. We tried rolling back to versions prior to 4.17.16, but those contain their own security issues that had since been addressed so that is a no-go for us.

Unless we can get a solution for this, we'll need to remove the use of lodash from dozens of projects here. We're hoping that if this is something that will be addressed and some sort of timeline given for the solution, the IT Security team will grant a limited exception until it's available.

Thank you,
Rich Werning

---

lodash : 4.17.21
Violation of Security-Critical

Policy Constraint
Critical risk CVSS score is in violation for the following reason(s):

• Found security vulnerability sonatype-2019-0467 with severity >= 9 (severity = 9.8)

sonatype-2019-0467

Explanation
The lodash package is vulnerable to Prototype Pollution. The template function in lodash.js, template.js, and lodash.min.js does not account for unicode newline characters when filtering the sourceURL property of the options object. Because of how the options object is used, an attacker who can control the source URL can leverage this to alter properties on the prototype chain, which can cause other sections of code to behave in an arbitrary and malicious way.

Please note that this vulnerability is due to an incomplete fix in sonatype-2019-0500.

Detection
The application is vulnerable by using this component, but the following conditions apply:

Version 4.17.16 of lodash (as present in npm downloads) has eliminated the vulnerable regex in the file package/lodash.js. The fixed regex is introduced in package/lodash.js starting in version 4.17.17. However, all versions >=4.17.12 (including 4.17.16, 4.17.17, etc.) continue to contain the vulnerable regex in the package/template.js file until the fix is found in version 4.17.20 of npm downloads.

Advisories
Project #4517
Project #4518

[MuggleHerder]

Confirmed via case with Sonatype for same issue my developers were asking me about. came back as human error and reverted the Critical 10...This is why it no longer shows up... as FYI

[gregkopp]

We were informed that this was an erroneous classification and that lodash does NOT contain the vulnerability.

The issue can be closed.

[RJWerning]

Thanks for the follow up. I can confirm that Sonatype & Snyk have withdrawn it as a security issue, however they are listing it as a major defect, not that it doesn't contain a vulnerability. This is due to the vendors position that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.

I would recommend adding some verbiage to the documentation with a warning to this effect.
https://lodash.com/docs/#template

[carlgieringer]

Github's dependabot flags Lodash 4.7.12 as containing a critical security vulnerability:

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Is this also a false positive? If so, does anyone know where the false positive came from or how to address it? This report from Snyk says that versions of Lodash below 4.7.12 have a prototype pollution vulnerability in defaultsDeep. Why does Github's dependabot seem to contradict that?