Closed ragamuffin-coder closed 2 years ago
Can you be a little more specific? Because the links you've provided don't seem to mention the exact dependency from which the vulnerability supposedly originates.
Yeah, had to follow the rabbit hole. Sonatype should directly reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337
It says "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function." but the dependency used is version 4.17.21 (and it's only a devDependency). I'm not sure what the issue is?
Hi @peterolson , Can you please address this command injection vulnerability. It is being flagged by OWASP Dependency Track as a risk in our projects.
npm audit
no longer reports vulnerabilities in version 1.6.50
Can you please address this command injection vulnerability. It is being flagged by OWASP Dependency Track as a risk in our projects.
CVE-2021-41720 is currently being disputed by the Lodash team. Please join the conversation here if you have any further concerns. In the meantime you can either take their word for it and simply ignore the warning or barring that just forgo building this package until the matter is "officially" settled. Both BigInteger.js and BigInteger.min.js are prebuilt (and can be found in the root directory of this repo).
Latest release v1.6.49 is being flagged as having a critical vulnerability by Sonatype.
The exact vulnerability reported through OWASP dependency check is as follows: https://ossindex.sonatype.org/vulnerability/afbfcdda-fd2d-42b6-aa10-bf8343466d99