Created
May 28, 2019 08:08
-
-
Save ar1em/1d008dc1c6cdae8bd30e85965bd91e81 to your computer and use it in GitHub Desktop.
npm audit --json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"actions": [ | |
{ | |
"action": "install", | |
"module": "lodash", | |
"target": "4.17.11", | |
"isMajor": true, | |
"resolves": [ | |
{ | |
"id": 782, | |
"path": "lodash", | |
"dev": true, | |
"optional": false, | |
"bundled": false | |
}, | |
{ | |
"id": 577, | |
"path": "lodash", | |
"dev": true, | |
"optional": false, | |
"bundled": false | |
} | |
] | |
}, | |
{ | |
"action": "review", | |
"module": "hoek", | |
"resolves": [ | |
{ | |
"id": 566, | |
"path": "hoek", | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
] | |
} | |
], | |
"advisories": { | |
"566": { | |
"findings": [ | |
{ | |
"version": "2.16.3", | |
"paths": [ | |
"hoek" | |
], | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
], | |
"id": 566, | |
"created": "2018-04-20T21:25:58.421Z", | |
"updated": "2019-02-14T16:00:33.922Z", | |
"deleted": null, | |
"title": "Prototype Pollution", | |
"found_by": { | |
"name": "HoLyVieR" | |
}, | |
"reported_by": { | |
"name": "HoLyVieR" | |
}, | |
"module_name": "hoek", | |
"cves": [], | |
"vulnerable_versions": "<= 4.2.0 || >= 5.0.0 < 5.0.3", | |
"patched_versions": "> 4.2.0 < 5.0.0 || >= 5.0.3", | |
"overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.", | |
"recommendation": "Update to version 4.2.1, 5.0.3 or later.", | |
"references": "", | |
"access": "public", | |
"severity": "moderate", | |
"cwe": "CWE-471", | |
"metadata": { | |
"module_type": "", | |
"exploitability": 5, | |
"affected_components": "" | |
}, | |
"url": "https://npmjs.com/advisories/566" | |
}, | |
"577": { | |
"findings": [ | |
{ | |
"version": "1.2.0", | |
"paths": [ | |
"lodash" | |
], | |
"dev": true, | |
"optional": false, | |
"bundled": false | |
} | |
], | |
"id": 577, | |
"created": "2018-04-24T14:27:02.796Z", | |
"updated": "2018-04-24T14:27:13.049Z", | |
"deleted": null, | |
"title": "Prototype Pollution", | |
"found_by": { | |
"name": "Olivier Arteau (HoLyVieR)" | |
}, | |
"reported_by": { | |
"name": "Olivier Arteau (HoLyVieR)" | |
}, | |
"module_name": "lodash", | |
"cves": [ | |
"CVE-2018-3721" | |
], | |
"vulnerable_versions": "<4.17.5", | |
"patched_versions": ">=4.17.5", | |
"overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n", | |
"recommendation": "Update to version 4.17.5 or later.", | |
"references": "- [HackerOne Report](https://hackerone.com/reports/310443)", | |
"access": "public", | |
"severity": "low", | |
"cwe": "CWE-471", | |
"metadata": { | |
"module_type": "", | |
"exploitability": 1, | |
"affected_components": "" | |
}, | |
"url": "https://npmjs.com/advisories/577" | |
}, | |
"782": { | |
"findings": [ | |
{ | |
"version": "1.2.0", | |
"paths": [ | |
"lodash" | |
], | |
"dev": true, | |
"optional": false, | |
"bundled": false | |
} | |
], | |
"id": 782, | |
"created": "2019-02-13T16:16:53.770Z", | |
"updated": "2019-02-13T16:16:53.770Z", | |
"deleted": null, | |
"title": "Prototype Pollution", | |
"found_by": { | |
"link": "", | |
"name": "asgerf" | |
}, | |
"reported_by": { | |
"link": "", | |
"name": "asgerf" | |
}, | |
"module_name": "lodash", | |
"cves": [ | |
"CVE-2018-16487" | |
], | |
"vulnerable_versions": "<4.17.11", | |
"patched_versions": ">=4.17.11", | |
"overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n", | |
"recommendation": "Update to version 4.17.11 or later.", | |
"references": "- [HackerOne Report](https://hackerone.com/reports/380873)", | |
"access": "public", | |
"severity": "moderate", | |
"cwe": "CWE-471", | |
"metadata": { | |
"module_type": "", | |
"exploitability": 3, | |
"affected_components": "" | |
}, | |
"url": "https://npmjs.com/advisories/782" | |
} | |
}, | |
"muted": [], | |
"metadata": { | |
"vulnerabilities": { | |
"info": 0, | |
"low": 1, | |
"moderate": 2, | |
"high": 0, | |
"critical": 0 | |
}, | |
"dependencies": 1, | |
"devDependencies": 1, | |
"optionalDependencies": 0, | |
"totalDependencies": 2 | |
}, | |
"runId": "7ee29164-795b-49d2-932a-ccd10d7e03b2" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment