-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk: Medium] package.json - Prototype Pollution (due 12/06/2020) #4105
Comments
This is still being flagged by Snyk - reopening for now. Here's the info: https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/?fromGitHubAuth=true#issue-SNYK-JS-UAPARSERJS-1023599 Thanks @patphongs for taking another look! |
@lbeaufort It appears that the fix that was slated for datatables.net v1.10.22 was incompatible/incomplete for this, so it's reflagging again. Looks like the more recent remediation was done to their master branch but hasn't been pushed out yet. Once it's pushed out, we'll see if that requires a version update on our end: https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402 |
Flagged by Snyk as "high" in log review, so merged PR that should address this too. https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/#issue-SNYK-JS-DATATABLESNET-1016402 |
Prototype Pollution
Vulnerable module: datatables.net
Introduced through: datatables.net@1.10.10 and datatables.net-responsive@2.2.3
Exploit maturity: Proof of concept
Fixed in: 1.10.22
Detailed paths and remediation
Introduced through: fec-cms@1.0.0 › datatables.net@1.10.10
Remediation: Upgrade to datatables.net@1.10.22
Introduced through: fec-cms@1.0.0 › datatables.net-responsive@2.2.3 › datatables.net@1.10.20
Remediation: Your dependencies are out of date, otherwise you would be using a newer datatables.net than datatables.net@1.10.20. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview
datatables.net is a DataTables for jQuery
Affected versions of this package are vulnerable to Prototype Pollution.
https://app.snyk.io/vuln/SNYK-JS-DATATABLESNET-598806
The text was updated successfully, but these errors were encountered: