We have successfully deployed Project Trumpet within our AWS GovCloud environment, and recently we updated to Inspector v2 and started scanning our Lambda functions for vulnerabilities. Inspector v2 discovered 5 Critical vulnerabilities for the following software packages:
We have successfully deployed Project Trumpet within our AWS GovCloud environment, and recently we updated to Inspector v2 and started scanning our Lambda functions for vulnerabilities. Inspector v2 discovered 5 Critical vulnerabilities for the following software packages:
aws:cloudformation:logical-id: ConfigurationRecorderSanitiser Affected packages CVE-2019-10744 - lodash Name: lodash Installed version / Fixed version: 4.17.5 / 4.17.12 Package manager: NODEPKG File paths: node_modules/lodash/package.json
CVE-2020-28472 - aws-sdk Name: aws-sdk Installed version / Fixed version: 2.211.0 / 2.814.0 Package manager: NODEPKG File paths: node_modules/aws-sdk/package.json
aws:cloudformation:logical-id: BackingLambdaConfigLogProcessor Affected packages CVE-2021-3918 - json-schema Name: json-schema Installed version / Fixed version: 0.2.3 / 0.4.0 Package manager: NODEPKG File paths: node_modules/json-schema/package.json
CVE-2018-16492 - extend Name: extend Installed version / Fixed version: 3.0.1 / 3.0.2 Package manager: NODEPKG File paths: node_modules/extend/package.json
CVE-2018-1000620 - cryptiles Name: cryptiles Installed version / Fixed version: 3.1.2 / 4.1.2 Package manager: NODEPKG File paths: node_modules/cryptiles/package.json
We need assistance updating these packages to the updated versions to remediate these vulnerabilities.