Last active
May 28, 2019 07:58
-
-
Save ar1em/94a71b68492162020af24c166cf0d9c4 to your computer and use it in GitHub Desktop.
yarn audit --json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{"type":"auditAdvisory","data":{"resolution":{"id":782,"path":"lodash","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.2.0","paths":["lodash"],"dev":false,"optional":false,"bundled":false}],"id":782,"created":"2019-02-13T16:16:53.770Z","updated":"2019-02-13T16:16:53.770Z","deleted":null,"title":"Prototype Pollution","found_by":{"link":"","name":"asgerf"},"reported_by":{"link":"","name":"asgerf"},"module_name":"lodash","cves":["CVE-2018-16487"],"vulnerable_versions":"<4.17.11","patched_versions":">=4.17.11","overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n","recommendation":"Update to version 4.17.11 or later.","references":"- [HackerOne Report](https://hackerone.com/reports/380873)","access":"public","severity":"moderate","cwe":"CWE-471","metadata":{"module_type":"","exploitability":3,"affected_components":""},"url":"https://npmjs.com/advisories/782"}}} | |
{"type":"auditAdvisory","data":{"resolution":{"id":577,"path":"lodash","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.2.0","paths":["lodash"],"dev":false,"optional":false,"bundled":false}],"id":577,"created":"2018-04-24T14:27:02.796Z","updated":"2018-04-24T14:27:13.049Z","deleted":null,"title":"Prototype Pollution","found_by":{"name":"Olivier Arteau (HoLyVieR)"},"reported_by":{"name":"Olivier Arteau (HoLyVieR)"},"module_name":"lodash","cves":["CVE-2018-3721"],"vulnerable_versions":"<4.17.5","patched_versions":">=4.17.5","overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n","recommendation":"Update to version 4.17.5 or later.","references":"- [HackerOne Report](https://hackerone.com/reports/310443)","access":"public","severity":"low","cwe":"CWE-471","metadata":{"module_type":"","exploitability":1,"affected_components":""},"url":"https://npmjs.com/advisories/577"}}} | |
{"type":"auditAdvisory","data":{"resolution":{"id":566,"path":"hoek","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.16.3","paths":["hoek"],"dev":false,"optional":false,"bundled":false}],"id":566,"created":"2018-04-20T21:25:58.421Z","updated":"2019-02-14T16:00:33.922Z","deleted":null,"title":"Prototype Pollution","found_by":{"name":"HoLyVieR"},"reported_by":{"name":"HoLyVieR"},"module_name":"hoek","cves":[],"vulnerable_versions":"<= 4.2.0 || >= 5.0.0 < 5.0.3","patched_versions":"> 4.2.0 < 5.0.0 || >= 5.0.3","overview":"Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.","recommendation":"Update to version 4.2.1, 5.0.3 or later.","references":"","access":"public","severity":"moderate","cwe":"CWE-471","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/566"}}} | |
{"type":"auditSummary","data":{"vulnerabilities":{"info":0,"low":1,"moderate":2,"high":0,"critical":0},"dependencies":2,"devDependencies":0,"optionalDependencies":0,"totalDependencies":2} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment