Out of date Underscore JS

ironmansoftware / issues

Public Issue tracker for Ironman Software products.

https://ironmansoftware.com

31 stars 2 forks source link

Out of date Underscore JS #3416

Closed djgrijalva closed 1 week ago

djgrijalva commented 2 weeks ago

Version

4.2.21

Severity

Medium

Environment

msi

Steps to Reproduce

PSU is using Underscore JS 1.8.3 which has a current CVE-2021-23358 for Arbitrary Code Injection

Expected behavior

no vulnerable component

Actual behavior

Safe version of Underscore JS is 1.13.6

Additional Environment data

No response

Screenshots/Animations

No response

adamdriscoll commented 1 week ago

Can you let me know how you determined this? I'm not seeing it in our NPM dependency tree.

djgrijalva commented 1 week ago

This and the other 2 issues I put in were found by my companies security team when doing a scan of our PSU site. This is what their report said on this:

The graphics below show the versions of the technical stack via Burp Suite. A readily available browser extension highlights the application framework and software components and their versions, making it easier for an attacker to identify the exploits, as seen below.

adamdriscoll commented 1 week ago

We aren't using Underscore. It looks like this is a problem with the license info coming from Lodash. https://github.com/lodash/lodash/issues/5579