Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Med] Regular Expression Denial of Service (4/18/21) #4767

Closed
lbeaufort opened this issue Feb 17, 2021 · 2 comments
Closed

[Snyk: Med] Regular Expression Denial of Service (4/18/21) #4767

lbeaufort opened this issue Feb 17, 2021 · 2 comments
Assignees
@rfultz
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 14.3

Comments

@lbeaufort
Copy link
Member

lbeaufort commented Feb 17, 2021
edited by rfultz
Loading

Regular Expression Denial of Service (ReDoS)
Vulnerable module: lodash
Introduced through: swagger-tools@0.10.4
Exploit maturity: Proof of concept
Detailed paths
Introduced through: openfec@1.0.0 › swagger-tools@0.10.4 › lodash@4.17.20
Remediation: No remediation path available.
Introduced through: openfec@1.0.0 › swagger-tools@0.10.4 › async@2.6.3 › lodash@4.17.20
Remediation: No remediation path available.
Introduced through: openfec@1.0.0 › swagger-tools@0.10.4 › json-refs@3.0.15 › lodash@4.17.20
Remediation: No remediation path available.
…and 1 more

Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Investigate whether lodash@latest will address it?
@lbeaufort lbeaufort added the Security: moderate Remediate within 60 days label Feb 17, 2021
@lbeaufort lbeaufort added this to the Sprint 14.3 milestone Feb 17, 2021
@lbeaufort lbeaufort mentioned this issue Feb 17, 2021
Closed
1 task
@patphongs patphongs mentioned this issue Feb 24, 2021
Closed
@rfultz rfultz self-assigned this Mar 23, 2021
@rfultz
Copy link
Contributor

rfultz commented Mar 23, 2021

@johnnyporkchops @patphongs do you still see this listed as a vulnerability? Looks like develop is using lodash@4.17.21 which seems to have other vulnerabilities but not this one

@rfultz
Copy link
Contributor

rfultz commented Apr 5, 2021

Closing this as snyk is no longer flagging it

@rfultz rfultz closed this as completed Apr 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 14.3
Development

No branches or pull requests
2 participants
@rfultz @lbeaufort