magik6k
commented
3 years ago This is in lotus-pond, which is just a dev-oriented UI for quickly spawning small devnets, mostly used for manually testing things related to network updates.
Just updating dependencies in lotus/lotuspond/front should be enough
Reiers
Trivy fails build from v1.9.0 tag I run Trivy after every new Dockerfile build as part of my CI. I have been working on setting up a Lotus node and created a Dockerfile to build it following the docs, cloned
v1.9.0tag and built successfully. I ran some tests directly on k8s and its working fine but Trivy reports some critical vulnerabilities which blocks my deploy pipeline. I can of course override this and keep going and in fact I will while still in dev env but I would like to automate this pipeline and deploy to production and I can't do this with trivy reporting critical vulnsVersion (run
lotus version):To Reproduce Steps to reproduce the behavior:
ENV VERSION=v1.9.0 \ RUSTFLAGS="-C target-cpu=native -g" \ FFI_BUILD_FROM_SOURCE=1
RUN yum update -y && yum groupinstall "Development Tools" -y \ && yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; yum install -y git gcc bzr jq pkgconfig clang llvm mesa-libGL-devel opencl-headers ocl-icd ocl-icd-devel hwloc-devel \ && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \ && wget -c https://golang.org/dl/go1.16.2.linux-amd64.tar.gz -O - | tar -xz -C /usr/local \ && source $HOME/.cargo/env && export PATH=$PATH:/usr/local/go/bin \ && git clone https://github.com/filecoin-project/lotus.git \ && cd lotus \ && git checkout $VERSION \ && make clean \ && make all \ && make install \ && chmod +x /usr/local/bin/lotus* \ && groupadd --gid 1000 filecoin \ && useradd --uid 1000 --gid filecoin --shell /bin/bash --create-home filecoin \ && chown -R filecoin:filecoin /home/filecoin
lotus/extern/test-vectors/gen/extern/filecoin-ffi/rust/Cargo.lock
Total: 12 (UNKNOWN: 12)
+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | futures-task | RUSTSEC-2020-0060 | UNKNOWN | 0.3.5 | >= 0.3.6 | futures_task::waker may | | | | | | | cause a use-after-free if | | | | | | | used on a type that isn't... | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0060 | +---------------+-------------------+ + +--------------------------------+---------------------------------------------+ | futures-util | RUSTSEC-2020-0059 | | | >= 0.3.7 | MutexGuard::map can cause | | | | | | | a data race in safe code | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0059 | +---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | generic-array | RUSTSEC-2020-0146 | | 0.12.3 | >= 0.8.4, < 0.9.0, >= 0.9.1, | arr! macro erases lifetimes | | | | | | < 0.10.0, >= 0.10.1, < 0.11.0, | -->rustsec.org/advisories/RUSTSEC-2020-0146 | | | | | | >= 0.11.2, < 0.12.0, >= | | | | | | | 0.12.4, < 0.13.0, >= 0.13.3 | |
+---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | hyper | RUSTSEC-2021-0020 | | 0.13.7 | >= 0.14.3, 0.13.10, 0.12.36 | Multiple Transfer-Encoding headers | | | | | | | misinterprets request payload | | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0020 | +---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | miow | RUSTSEC-2020-0080 | | 0.2.1 | >= 0.2.2, >= 0.3.6 |
miowinvalidly assumes the memory | | | | | | | layout of std::net::SocketAddr | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0080 | +---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | net2 | RUSTSEC-2020-0078 | | 0.2.35 | >= 0.2.36 |net2invalidly assumes the memory | | | | | | | layout of std::net::SocketAddr | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0078 | +---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | openssl-src | RUSTSEC-2021-0055 | | 111.10.2+1.1.1g | >= 111.15 | NULL pointer deref in | | | | | | | signature_algorithms processing | | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0055 |X509_issuer_and_serial_hash()| | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0058 | +---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | raw-cpuid | RUSTSEC-2021-0013 | | 7.0.3 | >= 9.0.0 | #native_cpuid::cpuid_count()is unsound | | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0013 | +---------------+-------------------+ +-------------------+--------------------------------+---------------------------------------------+ | socket2 | RUSTSEC-2020-0079 | | 0.3.12 | >= 0.3.16 |socket2invalidly assumes the | | | | | | | memory layout of std::net::SocketAddr | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0079 | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+root/.cargo/registry/src/github.com-1ecc6299db9ec823/addr2line-0.14.1/Cargo.lock
Total: 1 (UNKNOWN: 1)
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+ | smallvec | RUSTSEC-2021-0003 | UNKNOWN | 1.4.1 | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many | | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 | +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
root/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-2.33.3/Cargo.lock
Total: 1 (UNKNOWN: 1)
+-----------+-------------------+----------+-------------------+---------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+-------------------+----------+-------------------+---------------+---------------------------------------------+ | yaml-rust | RUSTSEC-2018-0006 | UNKNOWN | 0.3.5 | >= 0.4.1 | Uncontrolled recursion leads | | | | | | | to abort in deserialization | | | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0006 | +-----------+-------------------+----------+-------------------+---------------+---------------------------------------------+
root/.cargo/registry/src/github.com-1ecc6299db9ec823/crossbeam-channel-0.4.4/Cargo.lock
Total: 1 (UNKNOWN: 1)
+----------+-------------------+----------+-------------------+--------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------+-------------------+----------+-------------------+--------------------+---------------------------------------------+ | arc-swap | RUSTSEC-2020-0091 | UNKNOWN | 0.4.7 | >= 1.1.0, >= 0.4.8 | Dangling reference in | | | | | | |
access::Mapwith Constant | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0091 | +----------+-------------------+----------+-------------------+--------------------+---------------------------------------------+root/.cargo/registry/src/github.com-1ecc6299db9ec823/flexi_logger-0.14.8/Cargo.lock
Total: 3 (UNKNOWN: 3)
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+ | miow | RUSTSEC-2020-0080 | UNKNOWN | 0.2.1 | >= 0.2.2, >= 0.3.6 |
miowinvalidly assumes the memory | | | | | | | layout of std::net::SocketAddr | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0080 | +----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+ | net2 | RUSTSEC-2020-0078 | | 0.2.33 | >= 0.2.36 |net2invalidly assumes the memory | | | | | | | layout of std::net::SocketAddr | | | | | | | -->rustsec.org/advisories/RUSTSEC-2020-0078 | +----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+ | smallvec | RUSTSEC-2021-0003 | | 1.2.0 | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many | | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 | +----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+root/.cargo/registry/src/github.com-1ecc6299db9ec823/hkdf-0.10.0/Cargo.lock
Total: 1 (UNKNOWN: 1)
+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | generic-array | RUSTSEC-2020-0146 | UNKNOWN | 0.8.3 | >= 0.8.4, < 0.9.0, >= 0.9.1, | arr! macro erases lifetimes | | | | | | < 0.10.0, >= 0.10.1, < 0.11.0, | -->rustsec.org/advisories/RUSTSEC-2020-0146 | | | | | | >= 0.11.2, < 0.12.0, >= | | | | | | | 0.12.4, < 0.13.0, >= 0.13.3 | | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+
root/.cargo/registry/src/github.com-1ecc6299db9ec823/itertools-0.8.2/Cargo.lock
Total: 1 (UNKNOWN: 1)
+-----------+-------------------+----------+-------------------+--------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+-------------------+----------+-------------------+--------------------+---------------------------------------------+ | rand_core | RUSTSEC-2019-0035 | UNKNOWN | 0.2.2 | >= 0.3.1, >= 0.4.2 | Unaligned memory access | | | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0035 | +-----------+-------------------+----------+-------------------+--------------------+---------------------------------------------+
root/.cargo/registry/src/github.com-1ecc6299db9ec823/rand-0.8.3/Cargo.lock
Total: 1 (UNKNOWN: 1)
+-----------+-------------------+----------+-------------------+---------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+-------------------+----------+-------------------+---------------+---------------------------------------------+ | rand_core | RUSTSEC-2021-0023 | UNKNOWN | 0.6.1 | >= 0.6.2 | Incorrect check on buffer | | | | | | | length when seeding RNGs | | | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0023 | +-----------+-------------------+----------+-------------------+---------------+---------------------------------------------+
root/.cargo/registry/src/github.com-1ecc6299db9ec823/semver-parser-0.10.2/Cargo.lock
Total: 1 (UNKNOWN: 1)
+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | generic-array | RUSTSEC-2020-0146 | UNKNOWN | 0.12.3 | >= 0.8.4, < 0.9.0, >= 0.9.1, | arr! macro erases lifetimes | | | | | | < 0.10.0, >= 0.10.1, < 0.11.0, | -->rustsec.org/advisories/RUSTSEC-2020-0146 | | | | | | >= 0.11.2, < 0.12.0, >= | | | | | | | 0.12.4, < 0.13.0, >= 0.13.3 | | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+
root/.cargo/registry/src/github.com-1ecc6299db9ec823/sha2-0.8.2/Cargo.lock
Total: 1 (UNKNOWN: 1)
+---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+ | generic-array | RUSTSEC-2020-0146 | UNKNOWN | 0.12.3 | >= 0.8.4, < 0.9.0, >= 0.9.1, | arr! macro erases lifetimes | | | | | | < 0.10.0, >= 0.10.1, < 0.11.0, | -->rustsec.org/advisories/RUSTSEC-2020-0146 | | | | | | >= 0.11.2, < 0.12.0, >= | | | | | | | 0.12.4, < 0.13.0, >= 0.13.3 | | +---------------+-------------------+----------+-------------------+--------------------------------+---------------------------------------------+
lotus/lotuspond/front/package-lock.json
Total: 25 (MEDIUM: 25)
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | acorn | GHSA-6chw-6frg-f759 | MEDIUM | 6.2.1 | 5.7.4, 7.1.1, 6.4.1 | Regular Expression Denial | | | | | | | of Service in Acorn | | | | | | | -->github.com/advisories/GHSA-6chw-6frg-f759 |
+----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | browserslist | CVE-2021-23364 | | 4.5.4 | 4.16.5 | browserslist: parsing of | | | | | | | invalid queries could result in | | | | | | | Regular Expression Denial of... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23364 |
+----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | dns-packet | CVE-2021-23386 | | 1.3.1 | 1.3.2, 5.2.2 | dns-packet: does not always | | | | | | | fill buffers before forming | | | | | | | network packets which couls... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23386 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | elliptic | CVE-2020-28498 | | 6.5.0 | 6.5.4 | Use of a Broken or Risky | | | | | | | Cryptographic Algorithm | | | | | | | -->avd.aquasec.com/nvd/cve-2020-28498 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | handlebars | GHSA-f52g-6jhx-586p | | 4.1.2 | 4.4.5 | Denial of Service in handlebars | | | | | | | -->github.com/advisories/GHSA-f52g-6jhx-586p |
+----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | node-fetch | CVE-2020-15168 | | 1.7.3 | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after | | | | | | | fetch() JS thread leads to DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2020-15168 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | node-notifier | CVE-2020-7789 | | 5.4.0 | 8.0.1 | nodejs-node-notifier: command | | | | | | | injection due to the options | | | | | | | params not being sanitised when... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7789 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | postcss | CVE-2021-23368 | | 7.0.17 | 8.2.10 | nodejs-postcss: Regular | | | | | | | expression denial of service | | | | | | | during source map parsing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23368 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | react-dev-utils | CVE-2021-24033 | | 9.0.1 | 11.0.4 | nodejs-react-dev-utils: function | | | | | | | getProcessForPort concatenates | | | | | | | input argument into a command string | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24033 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | serialize-javascript | CVE-2019-16769 | | 1.7.0 | 2.1.1 | npm-serialize-javascript: | | | | | | | XSS via unsafe characters in | | | | | | | serialized regular expressions | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16769 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | sockjs | CVE-2020-7693 | | 0.3.19 | 0.3.20 | npmjs-sockjs: incorrect handling | | | | | | | of upgrade header with the | | | | | | | value websocket leads to... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7693 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | url-parse | CVE-2021-27515 | | 1.4.7 | 1.5.0 | nodejs-url-parse: mishandling | | | | | | | certain uses of backslash may | | | | | | | lead to confidentiality compromise | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27515 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | ws | CVE-2021-32640 | | 6.2.1 | 6.2.2, 7.4.6 | nodejs-ws: Specially crafted value | | | | | | | of the
Sec-Websocket-Protocol| | | | | | | header can be used to... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32640 |+----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | yargs-parser | CVE-2020-7608 | | 10.1.0 | 5.0.0-security.0, 13.1.2, | nodejs-yargs-parser: prototype | | | | | | 18.1.2, 15.0.1 | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+
root/go/pkg/mod/github.com/apache/thrift@v0.13.0/lib/js/package-lock.json
Total: 2 (MEDIUM: 2)
+----------+---------------------+----------+-------------------+---------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------+---------------------+----------+-------------------+---------------+----------------------------------------------+ | minimist | CVE-2020-7598 | MEDIUM | 0.0.8 | 1.2.3, 0.2.1 | nodejs-minimist: prototype | | | | | | | pollution allows adding | | | | | | | or modifying properties of | | | | | | | Object.prototype using a... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
root/go/pkg/mod/github.com/apache/thrift@v0.13.0/lib/ts/package-lock.json
Total: 2 (MEDIUM: 2)
+----------+---------------------+----------+-------------------+---------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------+---------------------+----------+-------------------+---------------+----------------------------------------------+ | minimist | CVE-2020-7598 | MEDIUM | 0.0.8 | 1.2.3, 0.2.1 | nodejs-minimist: prototype | | | | | | | pollution allows adding | | | | | | | or modifying properties of | | | | | | | Object.prototype using a... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
root/go/pkg/mod/github.com/apache/thrift@v0.13.0/package-lock.json
Total: 1 (MEDIUM: 1)
+---------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------+------------------+----------+-------------------+---------------+---------------------------------------+ | ws | CVE-2021-32640 | MEDIUM | 5.2.2 | 6.2.2, 7.4.6 | nodejs-ws: Specially crafted value | | | | | | | of the
Sec-Websocket-Protocol| | | | | | | header can be used to... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32640 | +---------+------------------+----------+-------------------+---------------+---------------------------------------+root/go/pkg/mod/github.com/filecoin-project/go-fil-markets@v1.2.5/package-lock.json
Total: 1 (MEDIUM: 1)
+---------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------+------------------+----------+-------------------+---------------+---------------------------------------+ | ws | CVE-2021-32640 | MEDIUM | 6.2.1 | 6.2.2, 7.4.6 | nodejs-ws: Specially crafted value | | | | | | | of the
Sec-Websocket-Protocol| | | | | | | header can be used to... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32640 | +---------+------------------+----------+-------------------+---------------+---------------------------------------+lotus/lotuspond/front/package-lock.json
Total: 22 (HIGH: 22)
+----------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | dot-prop | CVE-2020-8116 | HIGH | 4.2.0 | 5.1.1, 4.2.1 | nodejs-dot-prop: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8116 | +----------------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | elliptic | CVE-2020-13822 | | 6.5.0 | 6.5.3 | nodejs-elliptic: improper encoding | | | | | | | checks allows a certain degree | | | | | | | of signature malleability in... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13822 | +----------------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | handlebars | GHSA-2cf5-4w76-r9qv | | 4.1.2 | 4.5.2, 3.0.8 | Arbitrary Code Execution in handlebars | | | | | | | -->github.com/advisories/GHSA-2cf5-4w76-r9qv |
root/go/pkg/mod/github.com/apache/thrift@v0.13.0/lib/js/package-lock.json
Total: 2 (HIGH: 2)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | underscore | CVE-2021-23358 | HIGH | 1.6.0 | 1.12.1 | nodejs-underscore: Arbitrary code | | | | | | | execution via the template function | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
root/go/pkg/mod/github.com/apache/thrift@v0.13.0/lib/ts/package-lock.json
Total: 2 (HIGH: 2)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | underscore | CVE-2021-23358 | HIGH | 1.6.0 | 1.12.1 | nodejs-underscore: Arbitrary code | | | | | | | execution via the template function | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
root/go/pkg/mod/github.com/libp2p/go-mplex@v0.2.0/interop/js/package-lock.json
Total: 1 (HIGH: 1)
+---------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------+------------------+----------+-------------------+---------------+---------------------------------------+ | lodash | CVE-2021-23337 | HIGH | 4.17.19 | 4.17.21 | nodejs-lodash: command | | | | | | | injection via template | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23337 | +---------+------------------+----------+-------------------+---------------+---------------------------------------+
lotus/lotuspond/front/package-lock.json
Total: 4 (CRITICAL: 4)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | eslint-utils | CVE-2019-15657 | CRITICAL | 1.4.0 | 1.4.1 | Arbitrary Code Execution | | | | | | | in eslint-utils | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15657 | +--------------+------------------+ +-------------------+---------------+---------------------------------------+ | handlebars | CVE-2019-19919 | | 4.1.2 | 4.3.0 | nodejs-handlebars: prototype | | | | | | | pollution leading to remote code | | | | | | | execution via crafted payloads | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19919 |
Additional context I tried to find these packages/libraries on the code to change the version but I don't really know what I am doing so I would like to hear from others how I can fix this.