Critical Arbitrary Code Execution in underscore #517
Description
A critical vulnerability has been identified in the underscore package (versions 1.3.2 - 1.12.0) which is currently a dependency of the @allurereport/core and allure packages used in our project. This vulnerability allows for Arbitrary Code Execution (ACE).
Vulnerability Details
- Package:
underscore - Severity: Critical
- Advisory: GHSA-cf4h-3jhx-xvhq
- Dependency Path:
allure->@allurereport/core->@allurereport/plugin-allure2->@allurereport/web-allure2->backbone.marionette->underscore
Impact
The dependency tree forces the use of a vulnerable version of underscore, exposing the automation environment to potential Arbitrary Code Execution.
Steps to Reproduce
- Run
npm install allure. - Run
npm audit.
npm install allure
# npm audit report
underscore 1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix --force`
Will install allure@0.0.0, which is a breaking change
node_modules/underscore
backbone.marionette 1.6.3 - 4.0.0
Depends on vulnerable versions of underscore
node_modules/backbone.marionette
@allurereport/web-allure2 *
Depends on vulnerable versions of backbone.marionette
node_modules/@allurereport/web-allure2
@allurereport/plugin-allure2 *
Depends on vulnerable versions of @allurereport/web-allure2
node_modules/@allurereport/plugin-allure2
@allurereport/core *
Depends on vulnerable versions of @allurereport/plugin-allure2
node_modules/@allurereport/core
allure >=3.0.0-beta.0
Depends on vulnerable versions of @allurereport/core
Depends on vulnerable versions of @allurereport/plugin-allure2
node_modules/allure
6 critical severity vulnerabilities