Node.js package-lock.json : library: lodash v4.17.15, HIGH severity vulnerability id: NSWG-ECO-516 , title : Allocation of Resources Without Limits or Throttling #527
Comments
cristianbriscaru
added
the
triage/support
|
That's the commit where it was added to the NSWG database. Odd that the maintainers have not been notified if it is a severe vulnerability imho, but yeah, that's all the data I can find on it! |
|
On further investigation, I figured out that the vulnerability is actually available in snyk too: It shares the same hackerone link, which seems to have not been fixed in lodash even though a PR have been available since may 7: lodash/lodash#4759 |
|
@Johannestegner thank you for the prompt response, I have more than enough info and I will close this issue. |
|
@Johannestegner From what I can tell, this issue has been resolved in Lodash v4.17.19, however Trivy is still reporting a HIGH severity vulnerability. Lodash PR: lodash/lodash#4759 Please could you let me know if this is the case and if so when the Trivy db will be updated? |
|
Hi there @rickymcgeehan! I'm not in the trivy team, so can't help you there, sorry! |
Sorry! I wrongly assumed! |
|
@Johannestegner Thank you for answering on my behalf! |
Co-authored-by: Owen Rumney <owen.rumney@aquasec.com>
Hi guys trivy is detecting this vulnerability in Docker image in package-lock.json for a Node server:
lodash v4.17.15 HIGH NSWG-ECO-516 Allocation of Resources Without Limits or Throttling.
I could not find any info regarding this particular vulnerability and npm audit and snyk is not detecting it , also not even the guys maintaining the lodash library seem to be aware of this vulnerability and I could not find any info about it. Can you point me in the wright direction as to where I can find more info or where the vulnerability has been reported ?
The text was updated successfully, but these errors were encountered: