potential security vulnerability issue

bhadana-rajesh opened this issue 4 years ago · 1 comments

bhadana-rajesh commented 4 years ago

Hi ,

potential security vulnerability issue in one of dependency underscore@1.10.2

7.2CVE-2021-23358 Mar-29-2021	underscore-1.10.2.js	The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.	Upgrade to version underscore - 1.12.1,1.13.0-2https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Dependency tree
+-- karma-ui5@2.3.3
| +-- @ui5/fs@2.0.6
| | +-- @ui5/logger@2.0.1
| | | -- npmlog@4.1.2 | | | +-- are-we-there-yet@1.1.5 | | | | +-- delegates@1.0.0 | | | | -- readable-stream@2.3.7 deduped
| | | +-- console-control-strings@1.1.0
| | | +-- gauge@2.7.4
| | | | +-- aproba@1.2.0
| | | | +-- console-control-strings@1.1.0 deduped
| | | | +-- has-unicode@2.0.1
| | | | +-- object-assign@4.1.1 deduped
| | | | +-- signal-exit@3.0.3 deduped
| | | | +-- string-width@1.0.2
| | | | | +-- code-point-at@1.1.0
| | | | | +-- is-fullwidth-code-point@1.0.0
| | | | | | -- number-is-nan@1.0.1 deduped | | | | | -- strip-ansi@3.0.1 deduped
| | | | +-- strip-ansi@3.0.1 deduped
| | | | -- wide-align@1.1.3 | | | | -- string-width@2.1.1 deduped
| | | -- set-blocking@2.0.0 | | +-- clone@2.1.2 deduped | | +-- globby@11.0.3 | | | +-- array-union@2.1.0 | | | +-- dir-glob@3.0.1 | | | | -- path-type@4.0.0
| | | +-- fast-glob@3.2.5
| | | | +-- @nodelib/fs.stat@2.0.4
| | | | +-- @nodelib/fs.walk@1.2.6
| | | | | +-- @nodelib/fs.scandir@2.1.4
| | | | | | +-- @nodelib/fs.stat@2.0.4 deduped
| | | | | | -- run-parallel@1.2.0 | | | | | | -- queue-microtask@1.2.3
| | | | | -- fastq@1.11.0 | | | | | -- reusify@1.0.4
| | | | +-- glob-parent@5.1.2
| | | | | -- is-glob@4.0.1 | | | | | -- is-extglob@2.1.1
| | | | +-- merge2@1.4.1 deduped
| | | | +-- micromatch@4.0.4
| | | | | +-- braces@3.0.2 deduped
| | | | | -- picomatch@2.2.3 deduped | | | | -- picomatch@2.2.3 deduped
| | | +-- ignore@5.1.8
| | | +-- merge2@1.4.1
| | | -- slash@3.0.0 | | +-- graceful-fs@4.2.6 deduped | | +-- make-dir@3.1.0 deduped | | +-- micromatch@4.0.4 | | | +-- braces@3.0.2 deduped | | | -- picomatch@2.2.3 deduped
| | +-- minimatch@3.0.4 deduped
| | +-- pretty-hrtime@1.0.3
| | -- random-int@2.0.1 | +-- @ui5/project@2.3.1 | | +-- @ui5/builder@2.8.2 | | | +-- @ui5/fs@2.0.6 deduped | | | +-- @ui5/logger@2.0.1 deduped | | | +-- cheerio@0.22.0 | | | | +-- css-select@1.2.0 | | | | | +-- boolbase@1.0.0 | | | | | +-- css-what@2.1.3 | | | | | +-- domutils@1.5.1 | | | | | | +-- dom-serializer@0.1.1 deduped | | | | | | -- domelementtype@1.3.1 deduped
| | | | | -- nth-check@1.0.2 | | | | | -- boolbase@1.0.0 deduped
| | | | +-- dom-serializer@0.1.1
| | | | | +-- domelementtype@1.3.1
| | | | | -- entities@1.1.2 deduped | | | | +-- entities@1.1.2 | | | | +-- htmlparser2@3.10.1 | | | | | +-- domelementtype@1.3.1 deduped | | | | | +-- domhandler@2.4.2 | | | | | | -- domelementtype@1.3.1 deduped
| | | | | +-- domutils@1.5.1 deduped
| | | | | +-- entities@1.1.2 deduped
| | | | | +-- inherits@2.0.3 deduped
| | | | | -- readable-stream@3.6.0 | | | | | +-- inherits@2.0.3 deduped | | | | | +-- string_decoder@1.1.1 deduped | | | | | -- util-deprecate@1.0.2 deduped
| | | | +-- lodash.assignin@4.2.0
| | | | +-- lodash.bind@4.2.1
| | | | +-- lodash.defaults@4.2.0
| | | | +-- lodash.filter@4.6.0
| | | | +-- lodash.flatten@4.4.0
| | | | +-- lodash.foreach@4.5.0
| | | | +-- lodash.map@4.6.0
| | | | +-- lodash.merge@4.6.2
| | | | +-- lodash.pick@4.4.0
| | | | +-- lodash.reduce@4.6.0
| | | | +-- lodash.reject@4.6.0
| | | | -- lodash.some@4.6.0 | | | +-- escape-unicode@0.2.0 | | | +-- escodegen@2.0.0 | | | | +-- esprima@4.0.1 deduped | | | | +-- estraverse@5.2.0 | | | | +-- esutils@2.0.3 deduped | | | | +-- optionator@0.8.1 deduped | | | | -- source-map@0.6.1
| | | +-- escope@3.6.0
| | | | +-- es6-map@0.1.5
| | | | | +-- d@1.0.1
| | | | | | +-- es5-ext@0.10.53 deduped
| | | | | | -- type@1.2.0 | | | | | +-- es5-ext@0.10.53 | | | | | | +-- es6-iterator@2.0.3 deduped | | | | | | +-- es6-symbol@3.1.3 deduped | | | | | | -- next-tick@1.0.0
| | | | | +-- es6-iterator@2.0.3
| | | | | | +-- d@1.0.1 deduped
| | | | | | +-- es5-ext@0.10.53 deduped
| | | | | | -- es6-symbol@3.1.3 deduped | | | | | +-- es6-set@0.1.5 | | | | | | +-- d@1.0.1 deduped | | | | | | +-- es5-ext@0.10.53 deduped | | | | | | +-- es6-iterator@2.0.3 deduped | | | | | | +-- es6-symbol@3.1.1 | | | | | | | +-- d@1.0.1 deduped | | | | | | | -- es5-ext@0.10.53 deduped
| | | | | | -- event-emitter@0.3.5 deduped | | | | | +-- es6-symbol@3.1.3 | | | | | | +-- d@1.0.1 deduped | | | | | | -- ext@1.4.0
| | | | | | -- type@2.5.0 | | | | | -- event-emitter@0.3.5
| | | | | +-- d@1.0.1 deduped
| | | | | -- es5-ext@0.10.53 deduped | | | | +-- es6-weak-map@2.0.3 | | | | | +-- d@1.0.1 deduped | | | | | +-- es5-ext@0.10.53 deduped | | | | | +-- es6-iterator@2.0.3 deduped | | | | | -- es6-symbol@3.1.3 deduped
| | | | +-- esrecurse@4.3.0 deduped
| | | | -- estraverse@4.3.0 deduped | | | +-- esprima@4.0.1 deduped | | | +-- estraverse@5.1.0 | | | +-- globby@11.0.3 deduped | | | +-- graceful-fs@4.2.6 deduped | | | +-- jsdoc@3.6.6 | | | | +-- @babel/parser@7.13.15 deduped | | | | +-- bluebird@3.7.2 deduped | | | | +-- catharsis@0.8.11 | | | | | -- lodash@4.17.21 deduped
| | | | +-- escape-string-regexp@2.0.0
| | | | +-- js2xmlparser@4.0.1
| | | | | -- xmlcreate@2.0.3 | | | | +-- klaw@3.0.0 | | | | | -- graceful-fs@4.2.6 deduped
| | | | +-- markdown-it@10.0.0
| | | | | +-- argparse@1.0.10 deduped
| | | | | +-- entities@2.0.3
| | | | | +-- linkify-it@2.2.0
| | | | | | -- uc.micro@1.0.6 deduped | | | | | +-- mdurl@1.0.1 | | | | | -- uc.micro@1.0.6
| | | | +-- markdown-it-anchor@5.3.0
| | | | +-- marked@0.8.2
| | | | +-- mkdirp@1.0.4
| | | | +-- requizzle@0.2.3
| | | | | -- lodash@4.17.21 deduped | | | | +-- strip-json-comments@3.1.1 | | | | +-- taffydb@2.6.2 | | | | -- underscore@1.10.2

Thanks,
Rajesh

matz3 commented 4 years ago

The dependency only comes via jsdoc and we're already using the latest version v3.6.6.
This seems to be already tracked here: jsdoc/jsdoc#1906
If they release a bugfix as v3.6.7, there's nothing to be done by this project. Consumers only need to ensure to update their package-lock files to consume the latest in-range dependencies. Therefore closing this issue.

👍1