Security Alert - Package: lodash; Severity: HIGH; Vuln ID: GHSA-35jh-r3h4-6jhm

Question

Security Alert - Package: lodash; Severity: HIGH; Vuln ID: GHSA-35jh-r3h4-6jhm

Closed this issue 3 years ago · 2 comments

due: 2022-02-23

    A new vulnerability has been reported by Dependabot. The criticality of this vulnerability is HIGH.

    HIGH vulnerabilities have an SLA of 30 days according to our policy.

    Affected package: lodash
    Ecosystem: NPM
    Affected version range: < 4.17.21

    Summary: Command Injection in lodash
    Description: `lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
    identifiers: [{'type': 'GHSA', 'value': 'GHSA-35jh-r3h4-6jhm'}, {'type': 'CVE', 'value': 'CVE-2021-23337'}]

    Fixed Version: 4.17.21
    Created Date = January 18, 2022

    ***Additional Context***
    https://github.com/Recidiviz/supervision-success-component/security/dependabot?q=is%3Aopen+sort%3Anewest

Answer 1 · 2022-01-24T21:45:36.000Z

@phenggeler - label applied: Due this month.

Answer 2 · 2022-09-07T23:49:22.000Z

I was testing out a script to help auto-generate these issues, and we ended up with a lot of false positives. Closing this ticket out as a duplicate and removing the vulnerability labels, since it is not a true vulnerability