New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node.js package-lock.json : library: lodash v4.17.15, HIGH severity vulnerability id: NSWG-ECO-516 , title : Allocation of Resources Without Limits or Throttling #527
Comments
That's the commit where it was added to the NSWG database. Odd that the maintainers have not been notified if it is a severe vulnerability imho, but yeah, that's all the data I can find on it! |
On further investigation, I figured out that the vulnerability is actually available in snyk too: It shares the same hackerone link, which seems to have not been fixed in lodash even though a PR have been available since may 7: lodash/lodash#4759 |
@Johannestegner thank you for the prompt response, I have more than enough info and I will close this issue. |
@Johannestegner From what I can tell, this issue has been resolved in Lodash v4.17.19, however Trivy is still reporting a HIGH severity vulnerability. Lodash PR: lodash/lodash#4759 Please could you let me know if this is the case and if so when the Trivy db will be updated? |
Hi there @rickymcgeehan! I'm not in the trivy team, so can't help you there, sorry! |
Sorry! I wrongly assumed! |
@Johannestegner Thank you for answering on my behalf! |
Co-authored-by: Owen Rumney <owen.rumney@aquasec.com>
Hi guys trivy is detecting this vulnerability in Docker image in package-lock.json for a Node server:
lodash v4.17.15 HIGH NSWG-ECO-516 Allocation of Resources Without Limits or Throttling.
I could not find any info regarding this particular vulnerability and npm audit and snyk is not detecting it , also not even the guys maintaining the lodash library seem to be aware of this vulnerability and I could not find any info about it. Can you point me in the wright direction as to where I can find more info or where the vulnerability has been reported ?
The text was updated successfully, but these errors were encountered: