grunt icon indicating copy to clipboard operation
grunt copied to clipboard

Published 20 hours ago verified publisher icon gruntjs

Grunt-legacy-util giving old lodash version

Open saurav-nar opened this issue 6 years ago • 1 comments
trafficstars

I am using grunt v 1.0.3 which has transitive dependency as grunt-legacy-util version 1.1.1 under that it’s I see below dependency where I am expecting lodash version as 4.17.15 but, I see as version 4.17.10 which is little old and vulnerable library .

Description from CVE : A prototype pollution vulnerability was found in lodash 4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Explanation : The lodash package is vulnerable to Prototype Pollution. The safeGet() function in the lodash.js file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE). The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.

Detection : The application is vulnerable by using the merge, mergeWith, or defaultsDeep functions in this component to process user-supplied JSON data.

so I want to get the latest version of 4.17.15 .please find the details of grunt-legacy-util 1.1.1 which i am currently observing

grunt-legacy-util": {

  "version": "1.1.1",

  "resolved": "http:xxxx/grunt-legacy-util/-/grunt-legacy-util-1.1.1.tgz",

  "integrity": "...==",

  "dev": true,

  "requires": {

    "async": "~1.5.2",

    "exit": "~0.1.1",

    "getobject": "~0.1.0",

    "hooker": "~0.2.3",

    "lodash": "~4.17.10",

    "underscore.string": "~3.3.4",

    "which": "~1.3.0"

  },

saurav-nar avatar Oct 01 '19 10:10 saurav-nar

grunt 1.3.0 uses grunt-legacy-util ~2.0.0, which uses lodash ~4.17.20. You should update grunt and close this issue. (cc: @vladikoff)

silviuburceadev avatar Mar 19 '21 11:03 silviuburceadev