Comments (5)
If you are in a situation, where you can read the version via devtools, you already have code execution privileges.
If you are doing recon on another website e.g. to find vulns, you can just guess the version based on the source code (yes, even if minified). Or just try to exploit the issues straight away.
So it makes absolutely no sense to try to hide the version of a client-side library.
from lodash.
This issue is causing some security concerns in my organization is someone able to looking into it?
from lodash.
Tell whoever raised those concerns that it's trivial to determine a library version anyway...
from lodash.
The last vestige of this issue was removed from the main branch of lodash
in 2019 in 40e9c66.
Unfortunately, that commit wasn't included in the 4.17.21 release that went out the following month, and there hasn't been a subsequent release of lodash
in that time. (And it doesn't seem like there's a release coming any time soon, although I would be delighted to be wrong about that.)
Fortunately, this is not actually a significant security issue. Your security scanners and information security officers are participating in a false positive race to the bottom. Sure, lodash
can redact the version information, but that's security through obscurity. Since the version disclosure issue is only a problem on the client side, the attacker can simply inspect the payload to determine the version or not even bother and just run whatever exploit they would use on a vulnerable version and see if it works.
from lodash.
This vulnerability might be caused because the lodash object is exported globally and it can be accessed directly using window._
You could get rid of this vulnerability issue by following the solution suggested here - #2671 (comment)
Link to the solution: webpack/webpack#3017 (comment)
from lodash.
Related Issues (20)
- curryRight is broken in list.map context HOT 1
- multiple vulnerabilities that exist in lodash.findlast HOT 4
- Attempt structuredClone in cloneDeep before doing manual clone HOT 6
- _.trimStart not work with "/" char
- _.kebabCase and _.camelCase treat some digits as delimiters but not others HOT 1
- async attempt
- lodash-es outdated HOT 1
- feature request: Safe maths functions HOT 6
- Alias `_.tail` to `_.last` HOT 2
- _.deburr() - ț not convert to t HOT 3
- Typescript error HOT 7
- Discussion on Performance Issues of `trimStart` and `trimEnd`(关于 `trimStart` 和 `trimEnd` 性能问题的讨论) HOT 3
- array _.difference bug HOT 1
- CVE-2021-23337 lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. HOT 4
- There may be a bug here HOT 2
- When `debounce` or `throttle` options objects have undefined values, those options are unexpectedly set to non-defaults
- Can we include the time and space complexity of each functions in the documentation ?
- Lodash fails to run in edge environments (Vercel edge, CloudFlare workers)
- contribution
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lodash.