New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sonatype shows a new critical security violation. #5781
Comments
Confirmed via case with Sonatype for same issue my developers were asking me about. came back as human error and reverted the Critical 10...This is why it no longer shows up... as FYI |
We were informed that this was an erroneous classification and that lodash does NOT contain the vulnerability. The issue can be closed. |
Thanks for the follow up. I can confirm that Sonatype & Snyk have withdrawn it as a security issue, however they are listing it as a major defect, not that it doesn't contain a vulnerability. This is due to the vendors position that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input. I would recommend adding some verbiage to the documentation with a warning to this effect. |
Github's dependabot flags Lodash 4.7.12 as containing a critical security vulnerability:
Is this also a false positive? If so, does anyone know where the false positive came from or how to address it? This report from Snyk says that versions of Lodash below 4.7.12 have a prototype pollution vulnerability in defaultsDeep. Why does Github's dependabot seem to contradict that? |
As of yesterday, Sonatype is showing the following as a critical security issue. We tried rolling back to versions prior to 4.17.16, but those contain their own security issues that had since been addressed so that is a no-go for us.
Unless we can get a solution for this, we'll need to remove the use of lodash from dozens of projects here. We're hoping that if this is something that will be addressed and some sort of timeline given for the solution, the IT Security team will grant a limited exception until it's available.
Thank you,
Rich Werning
lodash : 4.17.21
Violation of Security-Critical
Policy Constraint
Critical risk CVSS score is in violation for the following reason(s):
sonatype-2019-0467
Explanation
The lodash package is vulnerable to Prototype Pollution. The template function in lodash.js, template.js, and lodash.min.js does not account for unicode newline characters when filtering the sourceURL property of the options object. Because of how the options object is used, an attacker who can control the source URL can leverage this to alter properties on the prototype chain, which can cause other sections of code to behave in an arbitrary and malicious way.
Please note that this vulnerability is due to an incomplete fix in sonatype-2019-0500.
Detection
The application is vulnerable by using this component, but the following conditions apply:
Version 4.17.16 of lodash (as present in npm downloads) has eliminated the vulnerable regex in the file package/lodash.js. The fixed regex is introduced in package/lodash.js starting in version 4.17.17. However, all versions >=4.17.12 (including 4.17.16, 4.17.17, etc.) continue to contain the vulnerable regex in the package/template.js file until the fix is found in version 4.17.20 of npm downloads.
Advisories
Project #4517
Project #4518
The text was updated successfully, but these errors were encountered: