Project

General

Profile

Actions

Bug #24995

closed

Ignore braces DoS in 7.3

Added by Clark ANDRIANASOLO 6 months ago. Updated 6 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
Effort required:
Very Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

npx better-npm-audit audit --level high
╔═════════════════════════════════════════════════════════════════════╗
║                     === list of exceptions ===                      ║
║                                                                     ║
║ ID                  │ Status │ Expiry │ Notes                       ║
║ GHSA-ww39-953v-wcq6 │ active │        │ Only a DoS, let's ignore it ║
║ GHSA-w573-4hg7-7wgq │ active │        │ Only a DoS, let's ignore it ║
║ GHSA-4w4v-5hc9-xrr2 │ active │        │ Only a DoS, let's ignore it ║
╚═════════════════════╧════════╧════════╧═════════════════════════════╝

╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║                                                                                  === npm audit security report ===                                                                                   ║
║                                                                                                                                                                                                      ║
║ ID      │ Module               │ Title                                              │ Paths                                     │ Sev.     │ URL                                               │ Ex. ║
║ 1089210 │ angular              │ angular vulnerable to regular expression denial of │ angular                                   │ moderate │ https://github.com/advisories/GHSA-m2h2-264f-f486 │ n   ║
║         │                      │ service (ReDoS)                                    │                                           │          │                                                   │     ║
║ 1093574 │ angular              │ Angular (deprecated package) Cross-site Scripting  │ angular                                   │ moderate │ https://github.com/advisories/GHSA-prc3-vjfx-vhm9 │ n   ║
║ 1094512 │ angular              │ angular vulnerable to regular expression denial of │ angular                                   │ moderate │ https://github.com/advisories/GHSA-2vrf-hf26-jrp5 │ n   ║
║         │                      │ service via the angular.copy() utility             │                                           │          │                                                   │     ║
║ 1094513 │ angular              │ angular vulnerable to regular expression denial of │ angular                                   │ moderate │ https://github.com/advisories/GHSA-2qqx-w9hr-q5gx │ n   ║
║         │                      │ service via the $resource service                  │                                           │          │                                                   │     ║
║ 1094514 │ angular              │ angular vulnerable to regular expression denial of │ angular                                   │ moderate │ https://github.com/advisories/GHSA-qwqh-hm9m-p5hr │ n   ║
║         │                      │ service via the <input type="url"> element         │                                           │          │                                                   │     ║
║ 1097291 │ angular              │ angular vulnerable to super-linear runtime due to  │ angular                                   │ high     │ https://github.com/advisories/GHSA-4w4v-5hc9-xrr2 │ y   ║
║         │                      │ backtracking                                       │                                           │          │                                                   │     ║
║ 1097496 │ braces               │ Uncontrolled resource consumption in braces        │ braces                                    │ high     │ https://github.com/advisories/GHSA-grv7-fg5c-xmjg │ n   ║
║         │                      │                                                    │ elm-test>braces                           │          │                                                   │     ║
║         │                      │                                                    │ fast-glob>braces                          │          │                                                   │     ║
║ 1094087 │ decode-uri-component │ decode-uri-component vulnerable to Denial of       │ decode-uri-component                      │ high     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq │ y   ║
║         │                      │ Service (DoS)                                      │                                           │          │                                                   │     ║
║ 1096592 │ es5-ext              │ es5-ext vulnerable to Regular Expression Denial of │ es5-ext                                   │ low      │ https://github.com/advisories/GHSA-4gmj-3p3h-gm8h │ n   ║
║         │                      │ Service in `function#copy` and                     │                                           │          │                                                   │     ║
║         │                      │ `function#toStringTokens`                          │                                           │          │                                                   │     ║
║ 1095007 │ glob-parent          │ glob-parent vulnerable to Regular Expression       │ glob-parent                               │ high     │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ y   ║
║         │                      │ Denial of Service in enclosure regex               │                                           │          │                                                   │     ║
║ 1096727 │ request              │ Server-Side Request Forgery in Request             │ request                                   │ moderate │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ n   ║
║ 1096483 │ semver               │ semver vulnerable to Regular Expression Denial of  │ semver                                    │ moderate │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │ n   ║
║         │                      │ Service                                            │                                           │          │                                                   │     ║
║ 1096643 │ tough-cookie         │ tough-cookie Prototype Pollution vulnerability     │ tough-cookie                              │ moderate │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ n   ║
╚═════════╧══════════════════════╧════════════════════════════════════════════════════╧═══════════════════════════════════════════╧══════════╧═══════════════════════════════════════════════════╧═════╝

1 vulnerabilities found. Node security advisories: 1097496

Subtasks 1 (0 open1 closed)

Bug #24998: Ignore braces DoS in plugins in 7.3ReleasedVincent MEMBRÉActions
Actions #1

Updated by Clark ANDRIANASOLO 6 months ago

  • Status changed from New to In progress
Actions #2

Updated by Clark ANDRIANASOLO 6 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder/pull/5720
Actions #3

Updated by Clark ANDRIANASOLO 6 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Clark ANDRIANASOLO 6 months ago

  • Subtask #24998 added
Actions #5

Updated by Clark ANDRIANASOLO 6 months ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.16, 8.0.10 and 8.1.5 which were released today.

Actions

Also available in: Atom PDF