Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

potential security vulnerability issue #305

Closed
bhadana-rajesh opened this issue Apr 19, 2021 · 1 comment
Closed

potential security vulnerability issue #305

bhadana-rajesh opened this issue Apr 19, 2021 · 1 comment
Labels
invalid security Pull requests that address a security vulnerability

Comments

@bhadana-rajesh
Copy link

Hi ,

potential security vulnerability issue in one of dependency underscore@1.10.2

7.2CVE-2021-23358 Mar-29-2021 underscore-1.10.2.js The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized. Upgrade to version underscore - 1.12.1,1.13.0-2https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Dependency tree
+-- karma-ui5@2.3.3
| +-- @ui5/fs@2.0.6
| | +-- @ui5/logger@2.0.1
| | | -- npmlog@4.1.2 | | | +-- are-we-there-yet@1.1.5 | | | | +-- delegates@1.0.0 | | | | -- readable-stream@2.3.7 deduped
| | | +-- console-control-strings@1.1.0
| | | +-- gauge@2.7.4
| | | | +-- aproba@1.2.0
| | | | +-- console-control-strings@1.1.0 deduped
| | | | +-- has-unicode@2.0.1
| | | | +-- object-assign@4.1.1 deduped
| | | | +-- signal-exit@3.0.3 deduped
| | | | +-- string-width@1.0.2
| | | | | +-- code-point-at@1.1.0
| | | | | +-- is-fullwidth-code-point@1.0.0
| | | | | | -- number-is-nan@1.0.1 deduped | | | | | -- strip-ansi@3.0.1 deduped
| | | | +-- strip-ansi@3.0.1 deduped
| | | | -- wide-align@1.1.3 | | | | -- string-width@2.1.1 deduped
| | | -- set-blocking@2.0.0 | | +-- clone@2.1.2 deduped | | +-- globby@11.0.3 | | | +-- array-union@2.1.0 | | | +-- dir-glob@3.0.1 | | | | -- path-type@4.0.0
| | | +-- fast-glob@3.2.5
| | | | +-- @nodelib/fs.stat@2.0.4
| | | | +-- @nodelib/fs.walk@1.2.6
| | | | | +-- @nodelib/fs.scandir@2.1.4
| | | | | | +-- @nodelib/fs.stat@2.0.4 deduped
| | | | | | -- run-parallel@1.2.0 | | | | | | -- queue-microtask@1.2.3
| | | | | -- fastq@1.11.0 | | | | | -- reusify@1.0.4
| | | | +-- glob-parent@5.1.2
| | | | | -- is-glob@4.0.1 | | | | | -- is-extglob@2.1.1
| | | | +-- merge2@1.4.1 deduped
| | | | +-- micromatch@4.0.4
| | | | | +-- braces@3.0.2 deduped
| | | | | -- picomatch@2.2.3 deduped | | | | -- picomatch@2.2.3 deduped
| | | +-- ignore@5.1.8
| | | +-- merge2@1.4.1
| | | -- slash@3.0.0 | | +-- graceful-fs@4.2.6 deduped | | +-- make-dir@3.1.0 deduped | | +-- micromatch@4.0.4 | | | +-- braces@3.0.2 deduped | | | -- picomatch@2.2.3 deduped
| | +-- minimatch@3.0.4 deduped
| | +-- pretty-hrtime@1.0.3
| | -- random-int@2.0.1 | +-- @ui5/project@2.3.1 | | +-- @ui5/builder@2.8.2 | | | +-- @ui5/fs@2.0.6 deduped | | | +-- @ui5/logger@2.0.1 deduped | | | +-- cheerio@0.22.0 | | | | +-- css-select@1.2.0 | | | | | +-- boolbase@1.0.0 | | | | | +-- css-what@2.1.3 | | | | | +-- domutils@1.5.1 | | | | | | +-- dom-serializer@0.1.1 deduped | | | | | | -- domelementtype@1.3.1 deduped
| | | | | -- nth-check@1.0.2 | | | | | -- boolbase@1.0.0 deduped
| | | | +-- dom-serializer@0.1.1
| | | | | +-- domelementtype@1.3.1
| | | | | -- entities@1.1.2 deduped | | | | +-- entities@1.1.2 | | | | +-- htmlparser2@3.10.1 | | | | | +-- domelementtype@1.3.1 deduped | | | | | +-- domhandler@2.4.2 | | | | | | -- domelementtype@1.3.1 deduped
| | | | | +-- domutils@1.5.1 deduped
| | | | | +-- entities@1.1.2 deduped
| | | | | +-- inherits@2.0.3 deduped
| | | | | -- readable-stream@3.6.0 | | | | | +-- inherits@2.0.3 deduped | | | | | +-- string_decoder@1.1.1 deduped | | | | | -- util-deprecate@1.0.2 deduped
| | | | +-- lodash.assignin@4.2.0
| | | | +-- lodash.bind@4.2.1
| | | | +-- lodash.defaults@4.2.0
| | | | +-- lodash.filter@4.6.0
| | | | +-- lodash.flatten@4.4.0
| | | | +-- lodash.foreach@4.5.0
| | | | +-- lodash.map@4.6.0
| | | | +-- lodash.merge@4.6.2
| | | | +-- lodash.pick@4.4.0
| | | | +-- lodash.reduce@4.6.0
| | | | +-- lodash.reject@4.6.0
| | | | -- lodash.some@4.6.0 | | | +-- escape-unicode@0.2.0 | | | +-- escodegen@2.0.0 | | | | +-- esprima@4.0.1 deduped | | | | +-- estraverse@5.2.0 | | | | +-- esutils@2.0.3 deduped | | | | +-- optionator@0.8.1 deduped | | | | -- source-map@0.6.1
| | | +-- escope@3.6.0
| | | | +-- es6-map@0.1.5
| | | | | +-- d@1.0.1
| | | | | | +-- es5-ext@0.10.53 deduped
| | | | | | -- type@1.2.0 | | | | | +-- es5-ext@0.10.53 | | | | | | +-- es6-iterator@2.0.3 deduped | | | | | | +-- es6-symbol@3.1.3 deduped | | | | | | -- next-tick@1.0.0
| | | | | +-- es6-iterator@2.0.3
| | | | | | +-- d@1.0.1 deduped
| | | | | | +-- es5-ext@0.10.53 deduped
| | | | | | -- es6-symbol@3.1.3 deduped | | | | | +-- es6-set@0.1.5 | | | | | | +-- d@1.0.1 deduped | | | | | | +-- es5-ext@0.10.53 deduped | | | | | | +-- es6-iterator@2.0.3 deduped | | | | | | +-- es6-symbol@3.1.1 | | | | | | | +-- d@1.0.1 deduped | | | | | | | -- es5-ext@0.10.53 deduped
| | | | | | -- event-emitter@0.3.5 deduped | | | | | +-- es6-symbol@3.1.3 | | | | | | +-- d@1.0.1 deduped | | | | | | -- ext@1.4.0
| | | | | | -- type@2.5.0 | | | | | -- event-emitter@0.3.5
| | | | | +-- d@1.0.1 deduped
| | | | | -- es5-ext@0.10.53 deduped | | | | +-- es6-weak-map@2.0.3 | | | | | +-- d@1.0.1 deduped | | | | | +-- es5-ext@0.10.53 deduped | | | | | +-- es6-iterator@2.0.3 deduped | | | | | -- es6-symbol@3.1.3 deduped
| | | | +-- esrecurse@4.3.0 deduped
| | | | -- estraverse@4.3.0 deduped | | | +-- esprima@4.0.1 deduped | | | +-- estraverse@5.1.0 | | | +-- globby@11.0.3 deduped | | | +-- graceful-fs@4.2.6 deduped | | | +-- jsdoc@3.6.6 | | | | +-- @babel/parser@7.13.15 deduped | | | | +-- bluebird@3.7.2 deduped | | | | +-- catharsis@0.8.11 | | | | | -- lodash@4.17.21 deduped
| | | | +-- escape-string-regexp@2.0.0
| | | | +-- js2xmlparser@4.0.1
| | | | | -- xmlcreate@2.0.3 | | | | +-- klaw@3.0.0 | | | | | -- graceful-fs@4.2.6 deduped
| | | | +-- markdown-it@10.0.0
| | | | | +-- argparse@1.0.10 deduped
| | | | | +-- entities@2.0.3
| | | | | +-- linkify-it@2.2.0
| | | | | | -- uc.micro@1.0.6 deduped | | | | | +-- mdurl@1.0.1 | | | | | -- uc.micro@1.0.6
| | | | +-- markdown-it-anchor@5.3.0
| | | | +-- marked@0.8.2
| | | | +-- mkdirp@1.0.4
| | | | +-- requizzle@0.2.3
| | | | | -- lodash@4.17.21 deduped | | | | +-- strip-json-comments@3.1.1 | | | | +-- taffydb@2.6.2 | | | | -- underscore@1.10.2

Thanks,
Rajesh
@matz3
Copy link
Member

matz3 commented Apr 19, 2021

The dependency only comes via jsdoc and we're already using the latest version v3.6.6.
This seems to be already tracked here: jsdoc/jsdoc#1906
If they release a bugfix as v3.6.7, there's nothing to be done by this project. Consumers only need to ensure to update their package-lock files to consume the latest in-range dependencies. Therefore closing this issue.

@matz3 matz3 closed this as completed Apr 19, 2021
@matz3 matz3 added invalid security Pull requests that address a security vulnerability labels Apr 19, 2021
@RandomByte RandomByte mentioned this issue Apr 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matz3 @bhadana-rajesh