search

mojaloop / project

Repo to track product development issues for the Mojaloop project.
Other
24 stars 15 forks source link

Security Vulnerability : CVE-2019-19919 - Prototype Pollution #2171

Closed Dorota-MB closed 3 years ago

Dorota-MB commented 3 years ago

Summary: lodash package, versions inferior to 4.17.20 are vulnerable to Prototype Pollution in zipObjectDeep due to an incomplete fix for CVE-2020-8203

Severity: Medium

Priority: High

Expected Behavior Upgrade lodash to version 4.17.20 or higher.

Steps to Reproduce N/A

Specifications

Notes:

mdebarros commented 3 years ago

This issue has been fixed in the v11.5.0 release: https://github.com/mojaloop/account-lookup-service/releases/tag/v11.5.0

Snyk Remediation recommends that lodash is upgraded to version 4.17.20 or higher: https://snyk.io/vuln/SNYK-JS-LODASH-590103.

As per the following dependency tree for v11.5.0 release, all version for lodash meet this requirement:

$ npm ls lodash

account-lookup-service@11.4.0 /.../mojaloop/git/account-lookup-service
├─┬ @mojaloop/central-services-database@10.7.0
│ ├─┬ knex@0.95.5
│ │ └── lodash@4.17.21  deduped
│ └── lodash@4.17.21 
├─┬ @mojaloop/central-services-error-handling@11.3.0
│ └── lodash@4.17.21 
├─┬ @mojaloop/central-services-shared@13.0.1
│ ├─┬ data-urls@2.0.0
│ │ └─┬ whatwg-url@8.5.0
│ │   └── lodash@4.17.20  deduped
│ ├── lodash@4.17.21 
│ ├─┬ openapi-backend@3.9.2
│ │ ├── lodash@4.17.20 
│ │ └─┬ mock-json-schema@1.0.8
│ │   └── lodash@4.17.20  deduped
│ └─┬ shins@2.6.0
│   └─┬ sanitize-html@1.27.5
│     └── lodash@4.17.20  deduped
├─┬ UNMET PEER DEPENDENCY @mojaloop/event-sdk@10.7.1
│ └── lodash@4.17.21 
├─┬ jest@27.0.1
│ └─┬ @jest/core@27.0.1
│   └─┬ jest-snapshot@27.0.1
│     ├─┬ @babel/traverse@7.12.13
│     │ └── lodash@4.17.20  deduped
│     └─┬ @babel/types@7.12.13
│       └── lodash@4.17.20  deduped
├─┬ jsdoc@3.6.7
│ ├─┬ catharsis@0.9.0
│ │ └── lodash@4.17.20  deduped
│ └─┬ requizzle@0.2.3
│   └── lodash@4.17.20  deduped
├─┬ knex@0.95.6
│ └── lodash@4.17.21 
├─┬ npm-check-updates@11.5.13
│ └── lodash@4.17.21 
├─┬ nyc@15.1.0
│ └─┬ istanbul-lib-instrument@4.0.3
│   └─┬ @babel/core@7.12.13
│     ├─┬ @babel/helper-module-transforms@7.12.13
│     │ └── lodash@4.17.20  deduped
│     └── lodash@4.17.20  deduped
├─┬ request-promise-native@1.0.9
│ └─┬ request-promise-core@1.1.4
│   └── lodash@4.17.20  deduped
├─┬ standard@16.0.3
│ └─┬ eslint@7.13.0
│   ├─┬ @eslint/eslintrc@0.2.2
│   │ └── lodash@4.17.20  deduped
│   ├── lodash@4.17.20  deduped
│   └─┬ table@5.4.6
│     └── lodash@4.17.20  deduped
└─┬ standard-version@9.3.0
  ├─┬ conventional-changelog@3.1.24
  │ └─┬ conventional-changelog-core@4.2.2
  │   ├─┬ conventional-changelog-writer@4.1.0
  │   │ └── lodash@4.17.20  deduped
  │   └── lodash@4.17.20  deduped
  ├─┬ conventional-changelog-conventionalcommits@4.5.0
  │ └── lodash@4.17.20  deduped
  └─┬ conventional-recommended-bump@6.1.0
    ├─┬ conventional-commits-parser@3.2.1
    │ └── lodash@4.17.20  deduped
    └─┬ git-raw-commits@2.0.10
      └── lodash@4.17.20  deduped