Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[High] Snyk: Prototype Pollution - lodash.mergewith (due 8/2/19) #3022

Closed
Tracked by #137
lbeaufort opened this issue Jul 3, 2019 · 1 comment
Closed
Tracked by #137

[High] Snyk: Prototype Pollution - lodash.mergewith (due 8/2/19) #3022

lbeaufort opened this issue Jul 3, 2019 · 1 comment
Assignees
@rfultz
Labels
Security: high Remediate within 30 days
Milestone
Sprint 9.5

Comments

@lbeaufort
Copy link
Member

lbeaufort commented Jul 3, 2019
edited by patphongs

Prototype Pollution
Vulnerable module: lodash.mergewith
Introduced through: sanitize-html@1.18.4
Detailed paths
Introduced through: fec-cms@1.0.0 › sanitize-html@1.18.4 › lodash.mergewith@4.6.1
Remediation: Upgrade lodash.mergewith to version 4.6.2 or higher.

Vulnerable Functions

index.baseMerge
index.baseMergeDeep

https://app.snyk.io/vuln/SNYK-JS-LODASHMERGEWITH-174136
@lbeaufort lbeaufort added the Security: high Remediate within 30 days label Jul 3, 2019
@lbeaufort lbeaufort added this to the Sprint 9.5 milestone Jul 3, 2019
@lbeaufort lbeaufort changed the title [High] Snyk: Prototype Pollution (due 8/2/19) [High] Snyk: Prototype Pollution - lodash.mergewith (due 8/2/19) Jul 3, 2019
@lbeaufort lbeaufort mentioned this issue Jul 3, 2019
Closed
@fec-jli fec-jli mentioned this issue Jul 10, 2019
Closed
@rfultz rfultz self-assigned this Jul 11, 2019
@rfultz rfultz mentioned this issue Jul 11, 2019
Closed
@jason-upchurch jason-upchurch mentioned this issue Jul 17, 2019
Closed
@pkfec pkfec mentioned this issue Jul 25, 2019
Closed
@patphongs
Copy link
Member

Vulnerability has been remediated, see this comment for details: #3043 (comment)

@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 9.5
Development

Successfully merging a pull request may close this issue.

3022 Upgrade patch/latest version of lodash.mergewith fecgov/fec-cms
3 participants
@patphongs @rfultz @lbeaufort