You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Vulnerable Library - express-validator-6.9.2.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/validator/package.json
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3765
Vulnerable Library - validator-13.5.2.tgz
String validation and sanitization
Library home page: https://registry.npmjs.org/validator/-/validator-13.5.2.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/validator/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
validator.js is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-11-02
URL: CVE-2021-3765
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-qgmg-gppg-76g5
Release Date: 2021-11-02
Fix Resolution (validator): 13.7.0
Direct dependency fix Resolution (express-validator): 6.10.0
Step up your Open Source Security Game with Mend here
CVE-2021-23337
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (express-validator): 6.10.0
Step up your Open Source Security Game with Mend here
CVE-2020-28500
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (express-validator): 6.10.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: