Glama
Sign In

MCP Security Audit Server

by qianniuspace
Verified
npmGitHub
TypeScript
MIT License
17
7
RedditDiscord
OverviewInspectNewSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
{ "actions": [ { "isMajor": false, "action": "install", "resolves": [ { "id": 1085674, "path": "lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1094499, "path": "lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1094500, "path": "lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1096305, "path": "lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1096996, "path": "lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1097130, "path": "lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1097140, "path": "lodash", "dev": false, "optional": false, "bundled": false } ], "module": "lodash", "target": "4.17.21" } ], "advisories": { "1085674": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", "created": "2019-07-19T16:13:07.000Z", "id": 1085674, "npm_advisory_id": null, "overview": "lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.", "reported_by": null, "title": "Regular Expression Denial of Service (ReDoS) in lodash", "metadata": null, "cves": [ "CVE-2019-1010266" ], "access": "public", "severity": "moderate", "module_name": "lodash", "vulnerable_versions": "<4.17.11", "github_advisory_id": "GHSA-x5rq-j2xg-h7qm", "recommendation": "Upgrade to version 4.17.11 or later", "patched_versions": ">=4.17.11", "updated": "2023-01-09T05:01:38.000Z", "cvss": { "score": 0, "vectorString": null }, "cwe": [ "CWE-400" ], "url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm" }, "1094499": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", "created": "2019-02-07T18:16:48.000Z", "id": 1094499, "npm_advisory_id": null, "overview": "Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.", "reported_by": null, "title": "Prototype Pollution in lodash", "metadata": null, "cves": [ "CVE-2018-16487" ], "access": "public", "severity": "high", "module_name": "lodash", "vulnerable_versions": "<4.17.11", "github_advisory_id": "GHSA-4xc9-xhrj-v574", "recommendation": "Upgrade to version 4.17.11 or later", "patched_versions": ">=4.17.11", "updated": "2023-11-01T23:00:56.000Z", "cvss": { "score": 0, "vectorString": null }, "cwe": [ "CWE-400" ], "url": "https://github.com/advisories/GHSA-4xc9-xhrj-v574" }, "1094500": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9", "created": "2022-01-06T20:30:46.000Z", "id": 1094500, "npm_advisory_id": null, "overview": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```", "reported_by": null, "title": "Regular Expression Denial of Service (ReDoS) in lodash", "metadata": null, "cves": [ "CVE-2020-28500" ], "access": "public", "severity": "moderate", "module_name": "lodash", "vulnerable_versions": "<4.17.21", "github_advisory_id": "GHSA-29mw-wpgm-hmr9", "recommendation": "Upgrade to version 4.17.21 or later", "patched_versions": ">=4.17.21", "updated": "2023-11-01T23:21:12.000Z", "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "cwe": [ "CWE-400", "CWE-1333" ], "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" }, "1096305": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://github.com/lodash/lodash/issues/4874\n- https://github.com/github/advisory-database/pull/2884\n- https://hackerone.com/reports/864701\n- https://github.com/lodash/lodash/wiki/Changelog#v41719\n- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/advisories/GHSA-p6mc-m468-83gw", "created": "2020-07-15T19:15:48.000Z", "id": 1096305, "npm_advisory_id": null, "overview": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.", "reported_by": null, "title": "Prototype Pollution in lodash", "metadata": null, "cves": [ "CVE-2020-8203" ], "access": "public", "severity": "high", "module_name": "lodash", "vulnerable_versions": ">=3.7.0 <4.17.19", "github_advisory_id": "GHSA-p6mc-m468-83gw", "recommendation": "Upgrade to version 4.17.19 or later", "patched_versions": ">=4.17.19", "updated": "2024-01-26T15:32:50.000Z", "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, "cwe": [ "CWE-770", "CWE-1321" ], "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" }, "1096996": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://security.netapp.com/advisory/ntap-20210312-0006\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm", "created": "2021-05-06T16:05:51.000Z", "id": 1096996, "npm_advisory_id": null, "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "reported_by": null, "title": "Command Injection in lodash", "metadata": null, "cves": [ "CVE-2021-23337" ], "access": "public", "severity": "high", "module_name": "lodash", "vulnerable_versions": "<4.17.21", "github_advisory_id": "GHSA-35jh-r3h4-6jhm", "recommendation": "Upgrade to version 4.17.21 or later", "patched_versions": ">=4.17.21", "updated": "2024-04-17T18:39:19.000Z", "cvss": { "score": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, "cwe": [ "CWE-77", "CWE-94" ], "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" }, "1097130": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004", "created": "2018-07-26T15:14:52.000Z", "id": 1097130, "npm_advisory_id": null, "overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.", "reported_by": null, "title": "Prototype Pollution in lodash", "metadata": null, "cves": [ "CVE-2018-3721" ], "access": "public", "severity": "moderate", "module_name": "lodash", "vulnerable_versions": "<4.17.5", "github_advisory_id": "GHSA-fvqr-27wr-82fm", "recommendation": "Upgrade to version 4.17.5 or later", "patched_versions": ">=4.17.5", "updated": "2024-04-22T19:49:54.000Z", "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, "cwe": [ "CWE-471", "CWE-1321" ], "url": "https://github.com/advisories/GHSA-fvqr-27wr-82fm" }, "1097140": { "findings": [ { "version": "4.17.1", "paths": [ "lodash" ] } ], "found_by": null, "deleted": null, "references": "- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp;utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS\n- https://github.com/advisories/GHSA-jf85-cpcp-j695", "created": "2019-07-10T19:45:23.000Z", "id": 1097140, "npm_advisory_id": null, "overview": "Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.", "reported_by": null, "title": "Prototype Pollution in lodash", "metadata": null, "cves": [ "CVE-2019-10744" ], "access": "public", "severity": "critical", "module_name": "lodash", "vulnerable_versions": "<4.17.12", "github_advisory_id": "GHSA-jf85-cpcp-j695", "recommendation": "Upgrade to version 4.17.12 or later", "patched_versions": ">=4.17.12", "updated": "2024-04-22T19:49:44.000Z", "cvss": { "score": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, "cwe": [ "CWE-20", "CWE-1321" ], "url": "https://github.com/advisories/GHSA-jf85-cpcp-j695" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 3, "high": 3, "critical": 1 }, "dependencies": 1, "devDependencies": 0, "optionalDependencies": 0, "totalDependencies": 1 } }