gardhr
commented
2 years ago Can you be a little more specific? Because the links you've provided don't seem to mention the exact dependency from which the vulnerability supposedly originates.
Closed ragamuffin-coder closed 2 years ago
gardhr
commented
2 years ago Can you be a little more specific? Because the links you've provided don't seem to mention the exact dependency from which the vulnerability supposedly originates.
attritionorg
commented
2 years ago Yeah, had to follow the rabbit hole. Sonatype should directly reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337
peterolson
commented
2 years ago It says "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function." but the dependency used is version 4.17.21 (and it's only a devDependency). I'm not sure what the issue is?
Masireddy65
commented
2 years ago Hi @peterolson , Can you please address this command injection vulnerability. It is being flagged by OWASP Dependency Track as a risk in our projects.
peterolson
commented
2 years ago npm audit no longer reports vulnerabilities in version 1.6.50
gardhr
commented
2 years ago Can you please address this command injection vulnerability. It is being flagged by OWASP Dependency Track as a risk in our projects.
CVE-2021-41720 is currently being disputed by the Lodash team. Please join the conversation here if you have any further concerns. In the meantime you can either take their word for it and simply ignore the warning or barring that just forgo building this package until the matter is "officially" settled. Both BigInteger.js and BigInteger.min.js are prebuilt (and can be found in the root directory of this repo).
Latest release v1.6.49 is being flagged as having a critical vulnerability by Sonatype.
The exact vulnerability reported through OWASP dependency check is as follows: https://ossindex.sonatype.org/vulnerability/afbfcdda-fd2d-42b6-aa10-bf8343466d99