High Vulnerabilities

This is connected to the issue critical vulnerabilities #851.

The latest OWASP scan considering version 1.0.2 reports 12 high vulnerabilities. The critical vulnerabilities were successfully accounted for with the previous issue and corresponding pull request. All of the high issues pertain to npm. The security team in my organization requires critical and high vulnerabilities to be non-existent for the approved use.

pkg:npm/ini@1.3.5 HIGH CWE-471: Modification of Assumed-Immutable Data (MAID) https://ossindex.sonatype.org/vulnerability/c08153de-a0ad-4212-963d-3de92eaab509?component-type=npm&component-name=ini&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 The software does not properly protect an assumed-immutable element from being modified by an attacker.

pkg:npm/lodash@4.17.15 HIGH CVE-2021-23337 https://ossindex.sonatype.org/vulnerability/22d2fa1f-0b1d-4240-a4c0-9954a5dc9082?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/lodash@4.17.15 high 1673 lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/lodash@4.17.15 HIGH CVE-2020-8203 https://ossindex.sonatype.org/vulnerability/8740216c-fea2-4998-a7c0-a687c35a2f92?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

pkg:npm/lodash@4.17.15 HIGH CWE-770: Allocation of Resources Without Limits or Throttling https://ossindex.sonatype.org/vulnerability/eeedfb1c-6a5e-428c-bb17-c64b66f9eced?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 “The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.”

pkg:npm/lodash@4.17.20 HIGH CVE-2021-23337 https://ossindex.sonatype.org/vulnerability/22d2fa1f-0b1d-4240-a4c0-9954a5dc9082?component-type=npm&component-name=lodash&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/lodash@4.17.20 high 1673 lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

pkg:npm/markdown@0.5.0 HIGH CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) https://ossindex.sonatype.org/vulnerability/696b3c22-8fb1-4dde-8042-4691ae4107d6?component-type=npm&component-name=markdown&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 “The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.”

pkg:npm/minimist@0.0.10 HIGH CWE-94: Improper Control of Generation of Code (‘Code Injection’) https://ossindex.sonatype.org/vulnerability/a0172c09-270c-4d3c-9816-564f20f372db?component-type=npm&component-name=minimist&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 “The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.”

pkg:npm/prismjs@1.19.0 HIGH CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) https://ossindex.sonatype.org/vulnerability/80928575-5fee-4f94-8bc6-48b2461442df?component-type=npm&component-name=prismjs&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 “The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.”

pkg:npm/y18n@3.2.1 high 1654 “y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); \/\/ true\n”

pkg:npm/y18n@3.2.1 HIGH CWE-20: Improper Input Validation https://ossindex.sonatype.org/vulnerability/ef4add6f-4439-4eb8-bd0e-d040ff4ba76b?component-type=npm&component-name=y18n&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.0 The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.