最近,我的安全扫描面临以下漏洞
安全扫描结果
Explanation: The `lodash` package is vulnerable to Command Injection. The `template` function in the `lodash.js` and `template.js` files does not properly ensure the `variable` property of the `options` parameter to be a valid EcmaScript. An attacker can exploit this vulnerability by passing a template with malicious JavaScript in it to the affected function. This will result in Remote Code Execution.
注意:此漏洞是由于对 CVE-2021-23337 的修复不足所致。
检测:应用程序因使用此组件而易受攻击。
建议:此组件/包没有安全的升级路径。我们建议调查替代组件或潜在的缓解控制。
当我运行 npm audit 时,我看到这是漏洞。虽然,我的所有包都在 Package.Json 文件中更新,但我仍然收到此错误
NPM 审计结果:
{
High Command Injection in lodash
Package loadash
Patched in >=4.17.21
Dependency ofgrunt-maven-deploy [dev]
Path grunt-maven-deploy > grunt > grunt-legacy-log >
grunt-legacy-log-utils > lodash
More info https://github.com/advisories/GHSA-35jh-r3h4-6jhm
High Command Injection in lodash
Patched in >=4.17.21
Dependency of grunt-maven-deploy [dev]
Path grunt-maven-deploy > grunt > grunt-legacy-log > lodash
More info https://github.com/advisories/GHSA-35jh-r3h4-6jhm
}
“Package.json”
{
“Grunt” : “1.4.1”
“Grunt-cli”: “1.4.3”
“Grunt-maven-deploy” :”0.2.1”
“Grunt-run”: “0.8.1”
“Grunt-tslint”: “5.0.2”
}
有人可以解释并帮助我解决这个问题吗
谢谢