Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(connector-besu): vulnerability cve-2020-8203 #543

Closed
petermetz opened this issue Feb 5, 2021 · 1 comment · Fixed by #581
Closed

fix(connector-besu): vulnerability cve-2020-8203 #543

petermetz opened this issue Feb 5, 2021 · 1 comment · Fixed by #581
Assignees
@kikoncuo
Labels
Besu bug Something isn't working dependencies Pull requests that update a dependency file good-first-issue Good for newcomers Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. Security Related to existing or potential security vulnerabilities
Milestone
v0.5.0

Comments

@petermetz
Copy link
Contributor

petermetz commented Feb 5, 2021
edited
Loading

Describe the bug

GHSA-p6mc-m468-83gw

CVE-2020-8203
low severity
Vulnerable versions: < 4.17.19
Patched version: 4.17.19
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Dependabot cannot update lodash to a non-vulnerable version
The latest possible version that can be installed is 4.17.15 because of the following conflicting dependency:

web3-eea@0.9.0 requires lodash@4.17.15
The earliest fixed version is 4.17.19.

1 lodash vulnerability found in …/cactus-test-plugin-ledger-connector-besu/package-lock.json 27 days ago
Remediation
Upgrade lodash to version 4.17.19 or later. For example:

"dependencies": {
  "lodash": ">=4.17.19"
}

or…

"devDependencies": {
  "lodash": ">=4.17.19"
}

Always verify the validity and compatibility of suggestions with your codebase.

To Reproduce

https://github.com/hyperledger/cactus/security/dependabot/packages/cactus-test-plugin-ledger-connector-besu/package-lock.json/lodash/open

cc: @takeutak @sfuji822 @hartm @jonathan-m-hamilton @AzaharaC @jordigiam @kikoncuo
@petermetz petermetz added bug Something isn't working good-first-issue Good for newcomers Besu dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. labels Feb 5, 2021
@petermetz petermetz added this to the v0.5.0 milestone Feb 5, 2021
@kikoncuo
Copy link
Contributor

fixed in #581 merge pending

@kikoncuo kikoncuo self-assigned this Feb 12, 2021
@kikoncuo kikoncuo mentioned this issue Feb 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kikoncuo kikoncuo

Labels
Besu bug Something isn't working dependencies Pull requests that update a dependency file good-first-issue Good for newcomers Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging a pull request may close this issue.

fix(general): fixed unused deps and updated them kikoncuo/cactus
2 participants
@petermetz @kikoncuo