High Vulnerabilities

[dalekube]

This is connected to the issue critical vulnerabilities #851.

The latest OWASP scan considering version 1.0.2 reports 12 high vulnerabilities. The critical vulnerabilities were successfully accounted for with the previous issue and corresponding pull request. All of the high issues pertain to npm. The security team in my organization requires critical and high vulnerabilities to be non-existent for the approved use.

pkg:npm/ini@1.3.5
HIGH
CWE-471: Modification of Assumed-Immutable Data (MAID)
https://ossindex.sonatype.org/vulnerability/c08153de-a0ad-4212-963d-3de92eaab509?component-type=npm&component-name=ini&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly protect an assumed-immutable element from being modified by an attacker.

pkg:npm/lodash@4.17.15
HIGH
CVE-2021-23337
https://ossindex.sonatype.org/vulnerability/22d2fa1f-0b1d-4240-a4c0-9954a5dc9082?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/lodash@4.17.15
high
1673
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/lodash@4.17.15
HIGH
CVE-2020-8203
https://ossindex.sonatype.org/vulnerability/8740216c-fea2-4998-a7c0-a687c35a2f92?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

pkg:npm/lodash@4.17.15
HIGH
CWE-770: Allocation of Resources Without Limits or Throttling
https://ossindex.sonatype.org/vulnerability/eeedfb1c-6a5e-428c-bb17-c64b66f9eced?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor."

pkg:npm/lodash@4.17.20
HIGH
CVE-2021-23337
https://ossindex.sonatype.org/vulnerability/22d2fa1f-0b1d-4240-a4c0-9954a5dc9082?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/lodash@4.17.20
high
1673
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/markdown@0.5.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/696b3c22-8fb1-4dde-8042-4691ae4107d6?component-type=npm&component-name=markdown&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."

pkg:npm/minimist@0.0.10
HIGH
CWE-94: Improper Control of Generation of Code ('Code Injection')
https://ossindex.sonatype.org/vulnerability/a0172c09-270c-4d3c-9816-564f20f372db?component-type=npm&component-name=minimist&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."

pkg:npm/prismjs@1.19.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/80928575-5fee-4f94-8bc6-48b2461442df?component-type=npm&component-name=prismjs&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."

pkg:npm/y18n@3.2.1
high
1654
"y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); \/\/ true\n"

pkg:npm/y18n@3.2.1
HIGH
CWE-20: Improper Input Validation
https://ossindex.sonatype.org/vulnerability/ef4add6f-4439-4eb8-bd0e-d040ff4ba76b?component-type=npm&component-name=y18n&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

[Mohitduklan]

I have done a scan on Veracode and I have found some vulnerabilities similar to the above one.
Please check them out.
Software Composition Analysis
Vulnerabilities

Component filemane: lodash
Component Path:
file7715563450_1623640769182_html/docs/node_modules:lodash
file7715563450_1623640775376_html/docs/node_modules:lodash
Current version: 4.17.15
Safe version: 4.17.21
Latest version: 4.17.21
High: 2
Medium: 2

Component filemane: y18n
Component Path:
file7715563450_1623640769182_html/docs/node_modules:y18n
file7715563450_1623640775376_html/docs/node_modules:y18n
Current version:
Safe version: 3.2.1
Latest version: 6.0.0-alpha.0
High: 1

Component filemane: minimist
Component Path:
file7715563450_1623640769182_html/docs/node_modules:minimist
file7715563450_1623640775376_html/docs/node_modules:minimist
Current version: 0.0.10
Safe version: 1.2.2
Latest version: 1.2.5
High: 1

Component filemane: minimist
Component Path:
file7715563450_1623640769182_html/docs/node_modules:minimist
file7715563450_1623640775376_html/docs/node_modules:minimist
Current version: 0.0.8
Safe version: 1.2.2
Latest version: 1.2.5
High: 1

Component filemane: minimist
Component Path:
file7715563450_1623640769182_html/docs/node_modules:minimist
file7715563450_1623640775376_html/docs/node_modules:minimist
Current version: 1.2.0
Safe version: 1.2.2
Latest version: 1.2.5
High: 1

Component filemane: ini
Component Path:
file7715563450_1623640769182_html/docs/node_modules:ini
file7715563450_1623640775376_html/docs/node_modules:ini
Current version: 1.3.5
Safe version: 1.3.6
Latest version: 2.0.0
High: 1

Component filename: ejs
Component Path:
file7715563450_1623640769182_html/docs/node_modules:ejs
file7715563450_1623640775376_html/docs/node_modules:ejs
Current version: 2.7.1
Safe version: 1.3.6
Latest version: 1.3.6
High: 1

[dalekube]

One new CRITICAL vulnerability showed up with a new scan for the latest version (v1.0.2.post0), scanned on 6/24 at 9:30 AM CT:

pkg:npm/lodash@4.17.15
CRITICAL
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
https://ossindex.sonatype.org/vulnerability/2053350d-b06f-4926-88ea-871760f6e5d8?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

[dalekube]

I assume most of these vulnerabilities can be resolved with npm module upgrades?

[niklub]

Hey, @dalekube ! Thanks to @nicholasrq, npm-related critical vulnerabilities have been fixed and are currently in the latest master branch. We're going to include these fixes in the upcoming 1.2 release, meanwhile it would be helpful if you could scan it again and check whether they have gone

[dalekube]

Thank you, @nicholasrq. It looks like some vulnerabilities were cleared. However, the critical vulnerability with lodash@4.17.15 still exists. There are 12 high and 1 critical vulnerabilities remaining. I am using Barista for the scanning, which passes all project and dependency code through the OWASP Dependency Check tool to gather published vulnerability information.

pkg:npm/glob-parent@5.1.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/64cd5f21-8af4-4eae-ac7d-a53241ea693a?component-type=npm&component-name=glob-parent&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

pkg:npm/ini@1.3.5
HIGH
CWE-471: Modification of Assumed-Immutable Data (MAID)
https://ossindex.sonatype.org/vulnerability/c08153de-a0ad-4212-963d-3de92eaab509?component-type=npm&component-name=ini&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly protect an assumed-immutable element from being modified by an attacker.

pkg:npm/lodash@4.17.15
HIGH
1673
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/markdown@0.5.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/696b3c22-8fb1-4dde-8042-4691ae4107d6?component-type=npm&component-name=markdown&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

pkg:npm/minimist@0.0.10
HIGH
CWE-94: Improper Control of Generation of Code ('Code Injection')
https://ossindex.sonatype.org/vulnerability/a0172c09-270c-4d3c-9816-564f20f372db?component-type=npm&component-name=minimist&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

pkg:npm/prismjs@1.19.0
HIGH
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
https://ossindex.sonatype.org/vulnerability/80928575-5fee-4f94-8bc6-48b2461442df?component-type=npm&component-name=prismjs&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

pkg:npm/prismjs@1.19.0
HIGH
CVE-2021-23341
https://ossindex.sonatype.org/vulnerability/9ec9dcbf-9f3b-4bcc-9258-f17b2b5700c1?component-type=npm&component-name=prismjs&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

pkg:npm/prismjs@1.19.0
HIGH
1762
In prismjs before 1.24.0 some languages are vulnerable to Regular Expression Denial of Service (ReDoS).\n\n### Impact\n\nWhen Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. Do not use the following languages to highlight untrusted text.\n\n- ASCIIDoc\n- ERB\n\nOther languages are not affected and can be used to highlight untrusted text.\n\n### Patches\nThis problem has been fixed in Prism v1.24.\n\n### References\n\n- PrismJS/prism#2774\n- PrismJS/prism#2688\n

pkg:npm/tar@4.4.8
HIGH
1771
The tar package has a high severity vulnerability before versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2.\n\n### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \/home\/user\/.bashrc would turn into home\/user\/.bashrc. \n\nThis logic was insufficient when file paths contained repeated path roots such as \/\/\/\/home\/user\/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \/\/\/home\/user\/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.\n\njs\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n \/\/ either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n \/\/ or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

pkg:npm/tar@4.4.8
HIGH
1770
The tar package has a high severity vulnerability before versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1.\n\n### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \/home\/user\/.bashrc would turn into home\/user\/.bashrc. \n\nThis logic was insufficient when file paths contained repeated path roots such as \/\/\/\/home\/user\/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \/\/\/home\/user\/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.\n\njs\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n \/\/ either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n \/\/ or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

pkg:npm/y18n@3.2.1
HIGH
1654
y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); \/\/ true\n

pkg:npm/y18n@3.2.1
HIGH
CWE-20: Improper Input Validation
https://ossindex.sonatype.org/vulnerability/ef4add6f-4439-4eb8-bd0e-d040ff4ba76b?component-type=npm&component-name=y18n&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

pkg:npm/lodash@4.17.15
CRITICAL
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
https://ossindex.sonatype.org/vulnerability/2053350d-b06f-4926-88ea-871760f6e5d8?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

[dalekube]

Excellent progress, @nicholasrq! I re-scanned the master branch and only three high vulnerabilities remain. The one critical vulnerability was resolved.

pkg:npm/ini@1.3.5
HIGH
CWE-471: Modification of Assumed-Immutable Data (MAID)
https://ossindex.sonatype.org/vulnerability/c08153de-a0ad-4212-963d-3de92eaab509?component-type=npm&component-name=ini&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0
The software does not properly protect an assumed-immutable element from being modified by an attacker.

pkg:npm/tar@4.4.8
HIGH
1770
The tar package has a high severity vulnerability before versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1.\n\n### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \/home\/user\/.bashrc would turn into home\/user\/.bashrc. \n\nThis logic was insufficient when file paths contained repeated path roots such as \/\/\/\/home\/user\/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \/\/\/home\/user\/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.\n\njs\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n \/\/ either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n \/\/ or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

pkg:npm/tar@4.4.8
HIGH
1771
The tar package has a high severity vulnerability before versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2.\n\n### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \/home\/user\/.bashrc would turn into home\/user\/.bashrc. \n\nThis logic was insufficient when file paths contained repeated path roots such as \/\/\/\/home\/user\/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \/\/\/home\/user\/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.\n\njs\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n \/\/ either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n \/\/ or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

[nicholasrq]

@dalekube hey!

took another round updating vulnerable packages. please, take a look on the progress. everything must be clear now

[dalekube]

@dalekube hey!

took another round updating vulnerable packages. please, take a look on the progress. everything must be clear now

@nicholasrq , thank you! I completed another scan. All that remains are 9 medium vulnerabilities. We are good to go on our end now considering that the critical and high vulnerabilities were properly accounted for. Thanks again for the updates! We will wait until the next release and then upgrade our instance with pip—and then begin to use the instance.