Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10744
### Vulnerable Library - lodash-4.17.11.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **lodash-4.17.11.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (adamant-api): 1.0.0
CVE-2020-13822
### Vulnerable Library - elliptic-6.4.0.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **elliptic-6.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsThe Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (adamant-api): 1.0.0
CVE-2020-8203
### Vulnerable Library - lodash-4.17.11.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **lodash-4.17.11.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsPrototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (adamant-api): 1.0.0
CVE-2021-23337
### Vulnerable Library - lodash-4.17.11.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **lodash-4.17.11.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (adamant-api): 1.0.0
CVE-2020-28498
### Vulnerable Library - elliptic-6.4.0.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **elliptic-6.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsThe package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
### CVSS 3 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (adamant-api): 1.0.0
WS-2019-0424
### Vulnerable Library - elliptic-6.4.0.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **elliptic-6.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability Detailsall versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (adamant-api): 1.0.0
CVE-2020-28500
### Vulnerable Library - lodash-4.17.11.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **lodash-4.17.11.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (adamant-api): 1.0.0
WS-2019-0427
### Vulnerable Library - elliptic-6.4.0.tgzEC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Dependency Hierarchy: - adamant-api-0.5.3.tgz (Root Library) - bitcore-mnemonic-1.7.0.tgz - bitcore-lib-0.16.0.tgz - :x: **elliptic-6.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsThe function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2
Publish Date: 2019-11-22
URL: WS-2019-0427
### CVSS 3 Score Details (5.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-11-22
Fix Resolution (elliptic): 6.5.2
Direct dependency fix Resolution (adamant-api): 1.0.0