Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: HIGH] Underscore Arbitrary Code Execution (due 4/30/21) #4523

Closed
2 tasks
johnnyporkchops opened this issue Mar 30, 2021 · 2 comments · Fixed by #4535
Closed
2 tasks

[Snyk: HIGH] Underscore Arbitrary Code Execution (due 4/30/21) #4523

johnnyporkchops opened this issue Mar 30, 2021 · 2 comments · Fixed by #4535
Assignees
@rfultz
Labels
High priority HOTFIX Merge with git flow Security: high Remediate within 30 days Work: Front-end
Milestone
Sprint 14.5

Comments

@johnnyporkchops
Copy link
Contributor

johnnyporkchops commented Mar 30, 2021
edited by rfultz
Loading

Summary

Underscore Arbitrary Code Execution

Detailed paths
Introduced through: fec-cms@1.0.0 › underscore@1.9.1
Remediation: Upgrade to underscore@1.12.1
Introduced through: fec-cms@1.0.0 › glossary-panel@1.0.0 › underscore@1.9.1
Remediation: No remediation path available.
Overview
underscore is a JavaScript's functional programming helper library.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Completion criteria

  • Determine how we're affected by this
  • Decide whether we tag this to come back when there's a remediation path, OR refactor all of our codebase to remove underscore (and/or lodash)
@johnnyporkchops johnnyporkchops added the Security: high Remediate within 30 days label Mar 30, 2021
@johnnyporkchops johnnyporkchops added this to the Sprint 14.4 milestone Mar 30, 2021
@johnnyporkchops johnnyporkchops mentioned this issue Mar 30, 2021
Closed
1 task
@rfultz rfultz self-assigned this Apr 5, 2021
@rfultz rfultz mentioned this issue Apr 6, 2021
Merged
@pkfec pkfec mentioned this issue Apr 7, 2021
Closed
@rfultz rfultz mentioned this issue Apr 14, 2021
Closed
1 task
@patphongs
Copy link
Member

This upgrade broke our filings datatables on the canonical candidate and committee profile pages. Need to revisit to see how to upgrade and patch this later.

@patphongs patphongs reopened this Apr 27, 2021
@patphongs patphongs modified the milestones: Sprint 14.4, Sprint 14.5 Apr 27, 2021
This was referenced Apr 28, 2021
Closed
Merged
@patphongs patphongs mentioned this issue Apr 29, 2021
Closed
1 task
@rfultz
Copy link
Contributor

rfultz commented Apr 29, 2021

Closing this because its tickets have been merged

@rfultz rfultz closed this as completed Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
High priority HOTFIX Merge with git flow Security: high Remediate within 30 days Work: Front-end
Projects
None yet
Milestone
Sprint 14.5
Development

Successfully merging a pull request may close this issue.

Up-grade under-score fecgov/fec-cms
3 participants
@johnnyporkchops @patphongs @rfultz