Project

General

Profile

Actions

Bug #22707

closed

Vulnerability in decode-uri-component

Added by Alexis Mousset over 1 year ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

— check npm dependencies3s

[2023-04-26T19:08:45.326Z] + npx better-npm-audit audit --level high

[2023-04-26T19:08:45.604Z] ╔═════════════════════════════════════════════════════════════════════╗

[2023-04-26T19:08:45.604Z] ║                     === list of exceptions ===                      ║

[2023-04-26T19:08:45.604Z] ║                                                                     ║

[2023-04-26T19:08:45.604Z] ║ ID                  │ Status │ Expiry │ Notes                       ║

[2023-04-26T19:08:45.604Z] ║ GHSA-ww39-953v-wcq6 │ active │        │ Only a DoS, let's ignore it ║

[2023-04-26T19:08:45.604Z] ╚═════════════════════╧════════╧════════╧═════════════════════════════╝

[2023-04-26T19:08:45.604Z] 

[2023-04-26T19:08:48.265Z] ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗

[2023-04-26T19:08:48.265Z] ║                                                                        === npm audit security report ===                                                                        ║

[2023-04-26T19:08:48.265Z] ║                                                                                                                                                                                 ║

[2023-04-26T19:08:48.265Z] ║ ID      │ Module               │ Title                                              │ Paths                │ Sev.     │ URL                                               │ Ex. ║

[2023-04-26T19:08:48.265Z] ║ 1088899 │ angular              │ Angular (deprecated package) Cross-site Scripting  │ angular              │ moderate │ https://github.com/advisories/GHSA-prc3-vjfx-vhm9 │ n   ║

[2023-04-26T19:08:48.265Z] ║ 1089210 │ angular              │ angular vulnerable to regular expression denial of │ angular              │ moderate │ https://github.com/advisories/GHSA-m2h2-264f-f486 │ n   ║

[2023-04-26T19:08:48.265Z] ║         │                      │ service (ReDoS)                                    │                      │          │                                                   │     ║

[2023-04-26T19:08:48.265Z] ║ 1091652 │ decode-uri-component │ decode-uri-component vulnerable to Denial of       │ decode-uri-component │ high     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq │ n   ║

[2023-04-26T19:08:48.265Z] ║         │                      │ Service (DoS)                                      │                      │          │                                                   │     ║

[2023-04-26T19:08:48.265Z] ║ 1091181 │ glob-parent          │ glob-parent before 5.1.2 vulnerable to Regular     │ glob-parent          │ high     │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ y   ║

[2023-04-26T19:08:48.265Z] ║         │                      │ Expression Denial of Service in enclosure regex    │                      │          │                                                   │     ║

[2023-04-26T19:08:48.265Z] ║ 1091725 │ request              │ Server-Side Request Forgery in Request             │ request              │ moderate │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ n   ║

[2023-04-26T19:08:48.265Z] ╚═════════╧══════════════════════╧════════════════════════════════════════════════════╧══════════════════════╧══════════╧═══════════════════════════════════════════════════╧═════╝

[2023-04-26T19:08:48.265Z] 

[2023-04-26T19:08:48.265Z] 1 vulnerabilities found. Node security advisories: 1091652

script returned exit code 1
Actions #1

Updated by Alexis Mousset over 1 year ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/4778
Actions #3

Updated by Alexis Mousset over 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Alexis Mousset over 1 year ago

  • Fix check changed from To do to Checked
Actions #5

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.1 which was released today.

Actions

Also available in: Atom PDF