You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AMoo-Miki
changed the title
WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64
WS-2017-3772 (High) detected underscore.string 2.4.0 through 3.3.5
Aug 15, 2023
mend-for-github-combot
changed the title
WS-2017-3772 (High) detected underscore.string 2.4.0 through 3.3.5
WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64
Aug 16, 2023
yarn why underscore.string
yarn why v1.22.19
[1/4] Why do we have the module "underscore.string"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "grunt#[email protected]"
info Reasons this module exists
- "_project_#grunt#grunt-legacy-util" depends on it
- Hoisted from "_project_#grunt#grunt-legacy-util#underscore.string"
- in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "444KB"
info Disk size with unique dependencies: "548KB"
info Disk size with transitive dependencies: "548KB"
info Number of shared dependencies: 2
Done in 0.82s.
With the current state in main, package manager is already installing underscore.string to 3.3.6 version as its locked in the yarn.lock file. We will not need additional package.json resolution to bump the version to 3.3.6.
Resolving as we already install suggested fix version.
WS-2017-3772 - High Severity Vulnerability
Vulnerable Library - juice-shopjuice-shop-14.5.1_node16_darwin_x64
Probably the most modern and sophisticated insecure web application
Library home page: https://sourceforge.net/projects/juice-shop/
Found in base branch: main
Vulnerable Source Files (1)
/packages/osd-ui-framework/node_modules/underscore.string/unescapeHTML.js
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.
Publish Date: 2017-09-08
URL: WS-2017-3772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2017-09-08
Fix Resolution: underscore.string - 3.3.5
The text was updated successfully, but these errors were encountered: