-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 7 vulnerable dependencies identified by Prisma Cloud #46
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prisma Cloud has found errors in this PR ⬇️
packages/requirements.txt
Outdated
@@ -1,2 +1,2 @@ | |||
django==1.2 | |||
django == 3.2.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
django 3.2.4 / requirements.txt
Total vulnerabilities: 19
Critical: 5 | High: 12 | Medium: 2 | Low: 0 |
---|
Vulnerability ID | Severity | CVSS | Fixed in | Status |
---|---|---|---|---|
CVE-2021-35042 | CRITICAL | 9.8 | 3.2.5 |
Open |
CVE-2022-28346 | CRITICAL | 9.8 | 3.2.13 |
Open |
CVE-2022-28347 | CRITICAL | 9.8 | 3.2.13 |
Open |
CVE-2022-34265 | CRITICAL | 9.8 | 3.2.14 |
Open |
CVE-2023-31047 | CRITICAL | 9.8 | 3.2.19 |
Open |
CVE-2023-41164 | HIGH | 7.5 | 3.2.21 |
Open |
CVE-2023-43665 | HIGH | 7.5 | 3.2.22 |
Open |
CVE-2023-46695 | HIGH | 7.5 | 3.2.23 |
Open |
CVE-2021-45116 | HIGH | 7.5 | 3.2.11 |
Open |
CVE-2021-45115 | HIGH | 7.5 | 3.2.11 |
Open |
CVE-2021-44420 | HIGH | 7.3 | 3.2.10 |
Open |
CVE-2022-23833 | HIGH | 7.5 | 3.2.12 |
Open |
CVE-2022-36359 | HIGH | 8.8 | 3.2.15 |
Open |
CVE-2022-41323 | HIGH | 7.5 | 3.2.16 |
Open |
CVE-2023-23969 | HIGH | 7.5 | 3.2.17 |
Open |
CVE-2023-24580 | HIGH | 7.5 | 3.2.18 |
Open |
CVE-2023-36053 | HIGH | 7.5 | 3.2.20 |
Open |
CVE-2021-45452 | MEDIUM | 5.3 | 3.2.11 |
Open |
CVE-2022-22818 | MEDIUM | 6.1 | 3.2.12 |
Open |
@@ -1,2 +1,2 @@ | |||
django==1.2 | |||
django == 3.2.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
django 3.2.4 / requirements.txt
Total vulnerabilities: 19
Critical: 5 | High: 12 | Medium: 2 | Low: 0 |
---|
Vulnerability ID | Severity | CVSS | Fixed in | Status |
---|---|---|---|---|
CVE-2021-35042 | CRITICAL | 9.8 | 3.2.5 |
Open |
CVE-2022-28346 | CRITICAL | 9.8 | 3.2.13 |
Open |
CVE-2022-28347 | CRITICAL | 9.8 | 3.2.13 |
Open |
CVE-2022-34265 | CRITICAL | 9.8 | 3.2.14 |
Open |
CVE-2023-31047 | CRITICAL | 9.8 | 3.2.19 |
Open |
CVE-2023-41164 | HIGH | 7.5 | 3.2.21 |
Open |
CVE-2023-43665 | HIGH | 7.5 | 3.2.22 |
Open |
CVE-2023-46695 | HIGH | 7.5 | 3.2.23 |
Open |
CVE-2021-45116 | HIGH | 7.5 | 3.2.11 |
Open |
CVE-2021-45115 | HIGH | 7.5 | 3.2.11 |
Open |
CVE-2021-44420 | HIGH | 7.3 | 3.2.10 |
Open |
CVE-2022-23833 | HIGH | 7.5 | 3.2.12 |
Open |
CVE-2022-36359 | HIGH | 8.8 | 3.2.15 |
Open |
CVE-2022-41323 | HIGH | 7.5 | 3.2.16 |
Open |
CVE-2023-23969 | HIGH | 7.5 | 3.2.17 |
Open |
CVE-2023-24580 | HIGH | 7.5 | 3.2.18 |
Open |
CVE-2023-36053 | HIGH | 7.5 | 3.2.20 |
Open |
CVE-2021-45452 | MEDIUM | 5.3 | 3.2.11 |
Open |
CVE-2022-22818 | MEDIUM | 6.1 | 3.2.12 |
Open |
packages/sub/pom.xml
Outdated
@@ -40,12 +40,12 @@ | |||
<dependency> | |||
<groupId>org.apache.commons</groupId> | |||
<artifactId>commons-compress</artifactId> | |||
<version>1.20</version> | |||
<version>1.21</version> | |||
</dependency> | |||
<dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
org.springframework:spring-core 6.0.8 / pom.xml
Total vulnerabilities: 2
Critical: 1 | High: 1 | Medium: 0 | Low: 0 |
---|
Vulnerability ID | Severity | CVSS | Fixed in | Status |
---|---|---|---|---|
CVE-2023-44794 | CRITICAL | 9.8 | - |
Open |
CVE-2023-34053 | HIGH | 7.5 | 6.0.14 |
Open |
8e4fb3d
to
75554fa
Compare
b3f31ca
to
75554fa
Compare
Prisma Cloud has detected new vulnerabilities or dependencies in the scan performed on Thu, 11 Jan 2024 10:46:58 UTC
This PR includes the fixes for the vulnerabilities discovered below:
DOMParser
andXMLSerializer
module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to thechildNodes
collection of theDocument
, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in thedocumentElement
or reject a document with a document that has more then 1childNode
.DOMParser
andXMLSerializer
module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to thechildNodes
collection of theDocument
, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in thedocumentElement
or reject a document with a document that has more then 1childNode
.@babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions ofbabel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on thepath.evaluate()
orpath.evaluateTruthy()
internal Babel methods. Known affected plugins are@babel/plugin-transform-runtime
;@babel/preset-env
when using itsuseBuiltIns
option; and any "polyfill provider" plugin that depends on@babel/helper-define-polyfill-provider
, such asbabel-plugin-polyfill-corejs3
,babel-plugin-polyfill-corejs2
,babel-plugin-polyfill-es-shims
,babel-plugin-polyfill-regenerator
. No other plugins under the@babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in@babel/[email protected]
and@babel/[email protected]
. Those who cannot upgrade@babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverse
versions:@babel/plugin-transform-runtime
v7.23.2,@babel/preset-env
v7.23.2,@babel/helper-define-polyfill-provider
v0.4.3,babel-plugin-polyfill-corejs2
v0.4.6, `babel-plugin-polyfill-cProxy
. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version3.9.18
ofvm2
. Users are advised to upgrade. There are no known workarounds for this vulnerability.handleException()
and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version3.9.16
ofvm2
.Error.prepareStackTrace
in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.DOMParser
andXMLSerializer
module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to thechildNodes
collection of theDocument
, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in thedocumentElement
or reject a document with a document that has more then 1childNode
.parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named__proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned byJSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned fromJSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.JSON5.parse
should restrict parsing of__proto__
keys when parsing JSON strings to objects. As a point of reference, theJSON.parse
method included in JavaScript ignores__proto__
keys. Simply changingJSON5.parse
toJSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 verengine.io
package starting from version4.0.0
, including those who uses depending packages likesocket.io
. Versions prior to4.0.0
are not impacted. A fix has been released for each major branch, namely4.1.2
for the4.x.x
branch,5.2.1
for the5.x.x
branch, and6.1.1
for the6.x.x
branch. There is no known workaround except upgrading to a safe version.inline.reflinkSearch
may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.block.def
may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.core.exportVariable
function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to theGITHUB_ENV
file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to@actions/core v1.9.1
. If you are unable to upgrade the@actions/core
package, you can modify your action to ensure that any user input does not contain the delimiter_GitHubActionsFileCommandDelimeter_
before callingcore.exportVariable
.socket.io
parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of theengine.io
package, including those who use depending packages likesocket.io
. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.shell.exec()
may be visible to other users on the same system. You may be affected if you executeshell.exec()
in multi-user Mac, Linux, or WSL environments, or if you executeshell.exec()
as the root user. Other shelljs functions (including the asynchronous version ofshell.exec()
) are not impacted. ### Patches Patched in shelljs 0.8.5 ### Workarounds Recommended action is to upgrade to 0.8.5. ### References https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/ ### For more information If you have any questions or comments about this advisory: * Ask at shelljs/shelljs#1058 * Open an issue at https://github.com/shelljs/shelljs/issues/newinspect
method and edit options forconsole.log
. As a result a threat actor can edit options for theconsole.log
command. This vulnerability was patched in the release of version3.9.18
ofvm2
. Users are advised to upgrade. Users unable to upgrade may make theinspect
method readonly withvm.readonly(inspect)
after creating a vm.node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly checkDigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.forge.util.parseUrl
API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior. ### Patchesforge.util.parseUrl
and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API. ### Workarounds Ensure code does not directly or indirectly callforge.util.parseUrl
with untrusted input. ### References - https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/ ### For more information If you have any questions or comments about this advisory: * Open an issue in forge * Email us at [email protected]forge.debug
API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way. ### Patches Theforge.debug
API and related functions were removed in 1.0.0. ### Workarounds Don't use theforge.debug
API directly or indirectly with untrusted input. ### References - https://www.huntr.dev/bounties/1-npm-node-forge/ ### For more information If you have any questions or comments about this advisory: * Open an issue in forge. * Email us at [email protected].