WS-2018-0210 Low Severity Vulnerability detected by WhiteSource

Question

WS-2018-0210 Low Severity Vulnerability detected by WhiteSource

mend-bolt-for-github opened this issue 5 years ago · 1 comments

mend-bolt-for-github commented 5 years ago

WS-2018-0210 - Low Severity Vulnerability

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: /ai-lab/package.json

Path to vulnerable library: /tmp/git/ai-lab/node_modules/json-rpc2/node_modules/lodash/package.json

Dependency Hierarchy:

@theia/go-0.3.17.tgz (Root Library)
- go-language-server-0.1.7.tgz
  - json-rpc2-1.0.2.tgz
    - ❌ lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 082fbcbc8c2ef8fc2f905bd9e108a64bbeabbbfe

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Step up your Open Source Security Game with WhiteSource here

Answer 1 · 2019-04-07T15:08:08.000Z

Resolved, not using actually Theia (/ai-lab/package.json is not used)