Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 #4734

Closed
mend-for-github-com bot opened this issue Aug 14, 2023 · 1 comment
Assignees
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

WS-2017-3772 - High Severity Vulnerability

Vulnerable Library - juice-shopjuice-shop-14.5.1_node16_darwin_x64

Probably the most modern and sophisticated insecure web application

Library home page: https://sourceforge.net/projects/juice-shop/

Found in base branch: main

Vulnerable Source Files (1)

/packages/osd-ui-framework/node_modules/underscore.string/unescapeHTML.js

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-09-08

Fix Resolution: underscore.string - 3.3.5

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Aug 14, 2023
@AMoo-Miki AMoo-Miki changed the title WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 WS-2017-3772 (High) detected underscore.string 2.4.0 through 3.3.5 Aug 15, 2023
@manasvinibs manasvinibs self-assigned this Aug 15, 2023
@mend-for-github-com mend-for-github-com bot changed the title WS-2017-3772 (High) detected underscore.string 2.4.0 through 3.3.5 WS-2017-3772 (High) detected in juice-shopjuice-shop-14.5.1_node16_darwin_x64 Aug 16, 2023
@manasvinibs
Copy link
Member

yarn why underscore.string
yarn why v1.22.19
[1/4] Why do we have the module "underscore.string"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "grunt#[email protected]"
info Reasons this module exists
   - "_project_#grunt#grunt-legacy-util" depends on it
   - Hoisted from "_project_#grunt#grunt-legacy-util#underscore.string"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "444KB"
info Disk size with unique dependencies: "548KB"
info Disk size with transitive dependencies: "548KB"
info Number of shared dependencies: 2
Done in 0.82s.

With the current state in main, package manager is already installing underscore.string to 3.3.6 version as its locked in the yarn.lock file. We will not need additional package.json resolution to bump the version to 3.3.6.

Resolving as we already install suggested fix version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

3 participants