Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23358 - Arbitrary Code Execution (Underscore) #4049

Closed
tgardiner opened this issue May 7, 2021 · 3 comments · Fixed by #4051
Closed

CVE-2021-23358 - Arbitrary Code Execution (Underscore) #4049

tgardiner opened this issue May 7, 2021 · 3 comments · Fixed by #4051

Comments

@tgardiner
Copy link

Expected behavior

web3 1.3.5 should not depend on vulnerable versions of underscore.

Actual behavior

web3 1.3.5 depends on a vulnerable version of underscore.

See: https://www.npmjs.com/advisories/1674

Steps to reproduce the behavior

  1. npm install web3
  2. npm audit

Logs

Click to view npm audit output 
underscore  1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution - https://npmjs.com/advisories/1674
No fix available
node_modules/underscore
  web3-bzz  *
  Depends on vulnerable versions of underscore
  node_modules/web3-bzz
    web3  *
    Depends on vulnerable versions of web3-bzz
    Depends on vulnerable versions of web3-utils
    node_modules/web3
  web3-core-helpers  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-helpers
    web3-core  *
    Depends on vulnerable versions of web3-core-helpers
    node_modules/web3-core
      web3-net  <=1.0.0-beta.55 || >=1.2.0
      Depends on vulnerable versions of web3-core
      Depends on vulnerable versions of web3-utils
      node_modules/web3-net
        web3-eth-personal  *
        Depends on vulnerable versions of web3-core-helpers
        Depends on vulnerable versions of web3-net
        node_modules/web3-eth-personal
        web3-shh  <=1.3.5
        Depends on vulnerable versions of web3-core-subscriptions
        Depends on vulnerable versions of web3-net
        node_modules/web3-shh
    web3-eth-ens  *
    Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-core-helpers
    node_modules/web3-eth-ens
      web3-eth  *
      Depends on vulnerable versions of underscore
    Depends on vulnerable versions of web3-eth-ens
      node_modules/web3-eth
    web3-providers-http  *
    Depends on vulnerable versions of web3-core-helpers
    node_modules/web3-providers-http
  web3-core-method  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-method
  web3-core-requestmanager  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-requestmanager
  web3-core-subscriptions  *
  Depends on vulnerable versions of underscore
  node_modules/web3-core-subscriptions
  web3-eth-abi  *
  Depends on vulnerable versions of underscore
  node_modules/web3-eth-abi
  web3-eth-accounts  *
  Depends on vulnerable versions of underscore
  node_modules/web3-eth-accounts
  web3-eth-contract  *
  Depends on vulnerable versions of underscore
  node_modules/web3-eth-contract
  web3-providers-ipc  *
  Depends on vulnerable versions of underscore
  node_modules/web3-providers-ipc
  web3-providers-ws  *
  Depends on vulnerable versions of underscore
  node_modules/web3-providers-ws
  web3-utils  >=1.0.0-beta.8
  Depends on vulnerable versions of underscore
  node_modules/web3-utils
    web3-eth-iban  *
    Depends on vulnerable versions of web3-utils
    node_modules/web3-eth-iban

Environment

web3 1.3.5
@azerella
Copy link

azerella commented May 8, 2021

Also experiencing this, would like a fix ASAP

@smartcontracts
Copy link

Seems like dependabot already made a bunch of PRs to update this, e.g.: #4038. Would be great if these could be merged soon, ty!!

@GregTheGreek
Copy link
Contributor

Thanks everyone, getting these in now, will release a patch after some testing to ensure nothing is broken.

Will also be looking into potentially removing underscore since its a relatively large library.

@GregTheGreek GregTheGreek mentioned this issue May 8, 2021
Merged
@markus0x1 markus0x1 mentioned this issue Sep 7, 2022
Merged
This was referenced Mar 15, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump underscore web3/web3.js
4 participants
@azerella @tgardiner @smartcontracts @GregTheGreek