auditjs vulnerability warnings #2574

sirudog · 2018-12-29T13:15:21Z

Hello,

I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts.
This generates a vulnerability report for the package dependencies my project uses.
When the audit command is executed, it reports several warnings about lodash referenced by node-sass package.
The issue is mainly about node-sass using older/vulnerable version of lodash packages.
My question is if node-sass could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.

Here is the output of auditjs:

------------------------------------------------------------
[158/1242] lodash.clonedeep 4.5.0  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.clonedeep

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.clonedeep
------------------------------------------------------------
------------------------------------------------------------
[769/1242] lodash.assign 4.2.0  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.assign

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.assign
------------------------------------------------------------
------------------------------------------------------------
[770/1242] lodash.mergewith 4.6.1  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.mergewith

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.mergewith
------------------------------------------------------------

The text was updated successfully, but these errors were encountered:

xzyfer · 2018-12-29T13:26:48Z

We're open to a PR as long as CI passes

…

On Sun., 30 Dec. 2018, 12:15 am Adam Biro ***@***.*** wrote: Hello, I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts. This generates a vulnerability report for the package dependencies my project uses. When the audit command is executed, it reports several warnings about lodash referenced by node-sass package. The issue is mainly about node-sass using older/vulnerable version of lodash packages. My question is if node-sass could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated. Here is the output of auditjs: ------------------------------ [158/1242] lodash.clonedeep 4.5.0 [VULNERABLE] 2 known vulnerabilities affecting installed version [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl... lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via *proto*, causing the addition or modification of an existing property that will exist on all objects. ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69 Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69 Dependency path: /node-sass/lodash.clonedeep CWE-471: Modification of Assumed-Immutable Data (MAID) The software does not properly protect an assumed-immutable element from being modified by an attacker. ID: 0f23ff35-235f-404f-8118-bc1580673fd0 Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0 Dependency path: /node-sass/lodash.clonedeep ------------------------------ [769/1242] lodash.assign 4.2.0 [VULNERABLE] 2 known vulnerabilities affecting installed version [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl... lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via *proto*, causing the addition or modification of an existing property that will exist on all objects. ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69 Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69 Dependency path: /node-sass/lodash.assign CWE-471: Modification of Assumed-Immutable Data (MAID) The software does not properly protect an assumed-immutable element from being modified by an attacker. ID: 0f23ff35-235f-404f-8118-bc1580673fd0 Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0 Dependency path: /node-sass/lodash.assign ------------------------------ [770/1242] lodash.mergewith 4.6.1 [VULNERABLE] 2 known vulnerabilities affecting installed version [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl... lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via *proto*, causing the addition or modification of an existing property that will exist on all objects. ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69 Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69 Dependency path: /node-sass/lodash.mergewith CWE-471: Modification of Assumed-Immutable Data (MAID) The software does not properly protect an assumed-immutable element from being modified by an attacker. ID: 0f23ff35-235f-404f-8118-bc1580673fd0 Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0 Dependency path: /node-sass/lodash.mergewith — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2574>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAjZWEbJOzwCtBkBeznIYr-OTeEOZ4yMks5u92rqgaJpZM4Zkke4> .

nschonni · 2019-01-02T17:59:27Z

All the lodash dependencies are marked with ^ so they should all be updated to the latest 4.x release if you clear you dependencies and reinstall (or call npm update)

node-sass/package.json

Lines 63 to 65 in 7c1dd8e

    
           "lodash.assign": "^4.2.0", 
        
           "lodash.clonedeep": "^4.3.2", 
        
           "lodash.mergewith": "^4.6.0",

Fixes: #2574 by removing prototype vulnerabilities for: https://ossindex.sonatype.org/component/pkg:npm/lodash.assign https://ossindex.sonatype.org/component/pkg:npm/lodash.clonedeep https://ossindex.sonatype.org/component/pkg:npm/lodash.mergewith

nschonni closed this as completed Jan 2, 2019

cheesestringer mentioned this issue Jan 21, 2019

Update lodash and remove prototype vulnerabilities #2582

Merged

snyk-bot mentioned this issue Sep 12, 2019

[Snyk] Upgrade node-sass from 4.6.1 to 4.12.0 cbrightly/pump-and-dump#3

Open

snyk-bot mentioned this issue Nov 1, 2019

[Snyk] Upgrade node-sass from 4.12.0 to 4.13.0 ryshu/enib-internships#68

Merged

snyk-bot mentioned this issue Feb 23, 2020

[Snyk] Upgrade node-sass from 4.8.3 to 4.13.1 raindigi/Merchello#1

Open

This was referenced Mar 12, 2020

[Snyk] Upgrade node-sass from 4.12.0 to 4.13.1 Narshe1412/scientific-turmeric#5

Open

[Snyk] Upgrade node-sass from 4.13.0 to 4.13.1 Skyscanner/backpack-node-sass#38

Closed

[Snyk] Upgrade node-sass from 4.13.0 to 4.13.1 contentascode/metalsmith-sass#2

Open

snyk-bot mentioned this issue Mar 20, 2020

[Snyk] Upgrade node-sass from 4.12.0 to 4.13.1 elizioNeto22/ecobit#2

Merged

This was referenced Mar 27, 2020

[Snyk] Upgrade node-sass from 4.13.0 to 4.13.1 adamlaska/nodejs.org#5

Open

[Snyk] Upgrade node-sass from 4.12.0 to 4.13.1 angelika-draczynska/learning-rest-api#29

Open

This was referenced Apr 15, 2020

[Snyk] Upgrade node-sass from 4.12.0 to 4.13.1 bee22193/square-hedgehog#7

Open

[Snyk] Upgrade node-sass from 4.12.0 to 4.13.1 bee22193/magenta-goat#5

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

auditjs vulnerability warnings #2574

auditjs vulnerability warnings #2574

sirudog commented Dec 29, 2018 •

edited

xzyfer commented Dec 29, 2018 via email

nschonni commented Jan 2, 2019

auditjs vulnerability warnings #2574

auditjs vulnerability warnings #2574

Comments

sirudog commented Dec 29, 2018 • edited

xzyfer commented Dec 29, 2018 via email

nschonni commented Jan 2, 2019

sirudog commented Dec 29, 2018 •

edited