CVE-2021-23337 (High) detected in lodash-4.17.4.tgz #116

mend-bolt-for-github · 2022-07-13T16:55:29Z

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

Path to dependency file: /exec-ui/package.json

Path to vulnerable library: /exec-ui/node_modules/lodash/package.json

Dependency Hierarchy:

ngx-infinite-scroll-0.8.4.tgz (Root Library)
- opencollective-1.0.3.tgz
  - inquirer-3.0.6.tgz
    - ❌ lodash-4.17.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

CVSS 3 Score Details (7.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (ngx-infinite-scroll): 0.9.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jul 13, 2022