This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

UNIFLASH: Uniflash Software Has Critical Risk

Part Number: UNIFLASH

Tool/software:

We performed a risk assessment of software Uniflash version 8.8.0.

 

Our assessment identified 2 Remote Code Execution findings associated with the following components:

 

Component

Threat Vector

Path

Lodash 3.10.1

Remote Code Execution (RCE)

BDSA-2020-3839

 

and many other CVEs

CVE-2020-8239

CVE-2021-23337

CVE-2018-3721

uniflash/public/lib/lodash/lodash.js

 

uniflash/public/lib/lodash/lodash.min.js

SQLite JDBC 3.21.0

Remote Code Execution (RCE)

CVE-2023-32697

deskdb/content/TICloudAgent/win/ccs_base/emulation/analysis/traceplugin-Repo.zip

 

I have the following questions:

 

  1. Could you please confirm if these components are impacted?
  2. If they are not impacted, could you please provide a rationale as to why?
  3. If they are impacted, do you have a security patch to address these vulnerabilities?
  • Hello,

    We are looking into this and will get back to you when we have more answers.

    Thanks

    ki

  • Hi W P,

    Thank you for highlighting these potential risks.

    1. Lodash v3.10.1 - this is a relatively old version of the library. We will look into updating this library to the latest version (v4.17.21) for the next UniFlash (target release end of November).

    2. traceplugin-Repo.zip - this zip was incorrectly included in the UniFlash package, and is only needed for Trace features in CCS. This file can be safely deleted. We will look into removing this file from the UniFlash installation for the next release.

    Thank you,

    Ricky