Project

General

Profile

Actions

Bug #24517

closed

Ignore angularjs DoS in 7.3

Added by Alexis Mousset 8 months ago. Updated 6 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

[2024-03-15T22:24:24.571Z] + npx better-npm-audit audit --level high

[2024-03-15T22:24:24.849Z] ╔═════════════════════════════════════════════════════════════════════╗

[2024-03-15T22:24:24.849Z] ║                     === list of exceptions ===                      ║

[2024-03-15T22:24:24.849Z] ║                                                                     ║

[2024-03-15T22:24:24.849Z] ║ ID                  │ Status │ Expiry │ Notes                       ║

[2024-03-15T22:24:24.849Z] ║ GHSA-ww39-953v-wcq6 │ active │        │ Only a DoS, let's ignore it ║

[2024-03-15T22:24:24.849Z] ║ GHSA-w573-4hg7-7wgq │ active │        │ Only a DoS, let's ignore it ║

[2024-03-15T22:24:24.849Z] ╚═════════════════════╧════════╧════════╧═════════════════════════════╝

[2024-03-15T22:24:24.849Z] 

[2024-03-15T22:24:26.870Z] ╔═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗

[2024-03-15T22:24:26.870Z] ║                                                                        === npm audit security report ===                                                                        ║

[2024-03-15T22:24:26.870Z] ║                                                                                                                                                                                 ║

[2024-03-15T22:24:26.870Z] ║ ID      │ Module               │ Title                                              │ Paths                │ Sev.     │ URL                                               │ Ex. ║

[2024-03-15T22:24:26.870Z] ║ 1089210 │ angular              │ angular vulnerable to regular expression denial of │ angular              │ moderate │ https://github.com/advisories/GHSA-m2h2-264f-f486 │ n   ║

[2024-03-15T22:24:26.870Z] ║         │                      │ service (ReDoS)                                    │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║ 1093574 │ angular              │ Angular (deprecated package) Cross-site Scripting  │ angular              │ moderate │ https://github.com/advisories/GHSA-prc3-vjfx-vhm9 │ n   ║

[2024-03-15T22:24:26.870Z] ║ 1096633 │ angular              │ angular vulnerable to super-linear runtime due to  │ angular              │ high     │ https://github.com/advisories/GHSA-4w4v-5hc9-xrr2 │ n   ║

[2024-03-15T22:24:26.870Z] ║         │                      │ backtracking                                       │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║ 1094087 │ decode-uri-component │ decode-uri-component vulnerable to Denial of       │ decode-uri-component │ high     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq │ y   ║

[2024-03-15T22:24:26.870Z] ║         │                      │ Service (DoS)                                      │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║ 1096592 │ es5-ext              │ es5-ext vulnerable to Regular Expression Denial of │ es5-ext              │ low      │ https://github.com/advisories/GHSA-4gmj-3p3h-gm8h │ n   ║

[2024-03-15T22:24:26.870Z] ║         │                      │ Service in `function#copy` and                     │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║         │                      │ `function#toStringTokens`                          │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║ 1095007 │ glob-parent          │ glob-parent vulnerable to Regular Expression       │ glob-parent          │ high     │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ y   ║

[2024-03-15T22:24:26.870Z] ║         │                      │ Denial of Service in enclosure regex               │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║ 1092972 │ request              │ Server-Side Request Forgery in Request             │ request              │ moderate │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ n   ║

[2024-03-15T22:24:26.870Z] ║ 1096483 │ semver               │ semver vulnerable to Regular Expression Denial of  │ semver               │ moderate │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │ n   ║

[2024-03-15T22:24:26.870Z] ║         │                      │ Service                                            │                      │          │                                                   │     ║

[2024-03-15T22:24:26.870Z] ║ 1096643 │ tough-cookie         │ tough-cookie Prototype Pollution vulnerability     │ tough-cookie         │ moderate │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ n   ║

[2024-03-15T22:24:26.870Z] ╚═════════╧══════════════════════╧════════════════════════════════════════════════════╧══════════════════════╧══════════╧═══════════════════════════════════════════════════╧═════╝

[2024-03-15T22:24:26.870Z] 

[2024-03-15T22:24:26.870Z] 1 vulnerabilities found. Node security advisories: 1096633

script returned exit code 1
Actions #1

Updated by Alexis Mousset 8 months ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset 8 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5481
Actions #3

Updated by Alexis Mousset 8 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Clark ANDRIANASOLO 7 months ago

  • Fix check changed from To do to Checked
Actions #5

Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.14, 8.0.8 and 8.1.1 which were released today.

Actions

Also available in: Atom PDF