Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@azure/identity is using vulnerable version of axios@0.20.0 with high severity #13088

Closed
1 of 6 tasks
compulim opened this issue Jan 6, 2021 · 14 comments · Fixed by #13090
Closed
1 of 6 tasks

@azure/identity is using vulnerable version of axios@0.20.0 with high severity #13088

compulim opened this issue Jan 6, 2021 · 14 comments · Fixed by #13090
Assignees
Labels
Azure.Identity blocking-release Blocks release bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization.

Comments

@compulim
Copy link

compulim commented Jan 6, 2021

  • Package Name: @azure/identity
  • Package Version: 1.2.0
  • Operating system:
  • nodejs
    • version: 14.10.1
  • browser
    • name/version:
  • typescript
    • version:
  • Is the bug related to documentation in

Describe the bug

axios@0.20.0 has high severity vulnerability, documented at https://npmjs.com/advisories/1594. It is fixed in axios@>0.21.1.

Since @azure/identity is a base package of other SDKs, the issue could have a broad impact across all SDKs.

To Reproduce
Steps to reproduce the behavior:

  1. npm install @azure/identity

Expected behavior
It should not report any vulnerabilities.

Screenshots

image

image

Additional context

@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 6, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jan 6, 2021
@ramya-rao-a ramya-rao-a added Client This issue points to a problem in the data-plane of the library. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Jan 6, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jan 6, 2021
@ghost ghost added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jan 6, 2021
@ramya-rao-a
Copy link
Contributor

Thanks for reporting @compulim

cc @jonathandturner

@ramya-rao-a
Copy link
Contributor

@jonathandturner The axios package is also used by @azure/msal-node which we use. Can we get it updated upstream as well? See https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/2ab1fb8f280ab49a42c7eaabfa4c3ec941aa19e1/lib/msal-node/package.json#L74

@rahulbreddy
Copy link

Will this be fixed in the 1.2.1 release? If yes, when can we expect 1.2.1 to be available?

@rmiraballes
Copy link

This issue is also affecting @azure/loganalytics. Can be updated for this package too?

@ramya-rao-a
Copy link
Contributor

@rmiraballes The @azure/loganalytics depends on @azure/ms-rest-js which in turn depends on axios. We merged the fix for this in Azure/ms-rest-js#407 and will be releasing an update soon

@ramya-rao-a
Copy link
Contributor

@rmiraballes We just released an update for @azure/ms-rest-js, so you should be good with @azure/loganalytics

@rmiraballes
Copy link

@ramya-rao-a Thanks

@ccaspers
Copy link

ccaspers commented Jan 8, 2021

At least for me, the issue persists because version 1.2.1 depends an "@azure/msal-node": "1.0.0-beta.1" which in turn depends on "axios": "^0.19.2"

@rmiraballes
Copy link

rmiraballes commented Jan 8, 2021

Yes is still happening in @azure/identity@1.2.1, because of the @azure/msal-node dependency:
https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/identity/identity/package.json#L86

Is fixed on @azure/loganalytics.

@ramya-rao-a
Copy link
Contributor

The PR to update axios in @azure/msal-node was merged yesterday, see AzureAD/microsoft-authentication-library-for-js#2825

Once an update to @azure/msal-node is released, we can look into updating our dependency on it as well

@ramya-rao-a
Copy link
Contributor

@azure/msal-node has released an update with the fix
Re-opening this issue until we update the @azure-msal-node dependency in @azure/identity

@ramya-rao-a ramya-rao-a reopened this Jan 12, 2021
@ramya-rao-a ramya-rao-a added bug This issue requires a change to an existing behavior in the product in order to be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 12, 2021
@ramya-rao-a
Copy link
Contributor

@jonathandturner Can we close this issue now that 1.2.2 of @azure/identity is released?

@ramya-rao-a ramya-rao-a added this to the [2021] February milestone Jan 19, 2021
@ramya-rao-a ramya-rao-a removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jan 19, 2021
@sadasant sadasant added the blocking-release Blocks release label Jan 25, 2021
@sadasant
Copy link
Contributor

sadasant commented Jan 25, 2021

@ramya-rao-a we're not using the Axios anymore on Identity, we've confirmed. We still have other packages that are using the old Axios though.

@sophiajt
Copy link
Contributor

Closing this issue, since the issue with Axios for @azure/identity should be solved with 1.2.2.

openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this issue Mar 4, 2021
Network november release (Azure#13224)

* Adds base for updating Microsoft.Network from version stable/2020-08-01 to version 2020-11-01

* Updates readme

* Updates API version in new specs and examples

* No snat firewall policy (Azure#12505)

* Adding No SNAT feature support to firewall policy

* committing prettier-fix

* adding period at end of description to prevent failure for checks

* Insights on Firewall Policy (Azure#12509)

* Adds base for updating Microsoft.Network from version stable/2020-07-01 to version 2020-08-01

* Updates readme

* Updates API version in new specs and examples

* add patch operation for express route gateway (Azure#11553)

* add patch

* fix example

* Added new cloud service NIC and PIP APIs (Azure#11650)

Co-authored-by: Richa Jain <ricjain@microsoft.com>

* Adding support for Vpn Link Connection Mode (Azure#11574)

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* Reverting the changes made for address space update as the changes in service code are not in yet (Azure#11754)

Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>

* VPN NAT for Virtual WAN feature changes (Azure#11815)

* VPN NAT for Virtual WAN feature changes

* PrettierCheck fixes

* Incorporate review comments and update examples

* Add edge zone parameters for networking resources and add extendedLocation property to customIpPrefix (Azure#11933)

* Add extendedLocation property to customIpPrefix

* Fix the directory

* Address linting errors

* Fix another linting error

* Add edge zone parameter for network interfaces

* Looks like edgeZone parameter is working when creating network interfaces

* EdgeZone parameter for load balancer

* Add edge zone parameter for public IP address

* Add edge zone parameter for public IP prefix

* Add edgeZone parameter for virtual networks

* Add edge zone parameter for custom IP prefix

Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>

* Add location parameter to Loadbalancer Backend Address Pool Properties Format (Azure#11919)

* adding location parameter to backendaddresspoolpropertiesformat

* ran prettier

* Support for Listing IKE Security Associations for Virtual Network Gateway Connections (Azure#11572)

* Support to List IKE SAs on VNG Connection

* Updating GetIkeSas

* Update virtualNetworkGateway.json

* Added location headers

* Update virtualNetworkGateway.json

* Prettier fix

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* [Fix] GetIkeSas returns result as string (Azure#12225)

* Removing IkeSaParameters

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

* Update VirtualNetworkGatewayConnectionGetIkeSas.json

* Update virtualNetworkGateway.json

* Update VirtualNetworkGatewayConnectionGetIkeSas.json

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* Add extended location properties for private link service and private endpoints and remove edge zone properties (Azure#12039)

* Remove edge zone parameter

* Add extended location for private endpoint and private link service

* Add examples

* Capitalization

* Prettier

Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>

* Add missing properties of SecurityRule, Route and RouteTable (Azure#12215)

* Add missing properties of SecurityRule Route and RouteTable

* Set resourceGuid field to be read only

Co-authored-by: Xu Wang <wax@microsoft.com>

* Added placeholder instead of password (Azure#12299)

* resolving conflicts

* resolving conflicts

* new api version

* resolving conflicts

* fixing network validation

* running prettier

* fixing network valdiation

* fixing network valdiation

Co-authored-by: Mikhail <mitryakh@microsoft.com>
Co-authored-by: nimaller <71352534+nimaller@users.noreply.github.com>
Co-authored-by: Richa Jain <richa.jain1912@gmail.com>
Co-authored-by: Richa Jain <ricjain@microsoft.com>
Co-authored-by: Abhishek Shah <shah.abhi7860@gmail.com>
Co-authored-by: Abhishek Shah <shabhis@microsoft.com>
Co-authored-by: Hari Prasad Perabattula <harics24@users.noreply.github.com>
Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>
Co-authored-by: Nilambari <nilamd@microsoft.com>
Co-authored-by: William Ehrich <wdehrich@gmail.com>
Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>
Co-authored-by: Kayden Wilkinson <69224099+Kawilki-M@users.noreply.github.com>
Co-authored-by: Xu Wang <wangxu724@gmail.com>
Co-authored-by: Xu Wang <wax@microsoft.com>

* Firewall Policy Insights with region (Azure#12711)

* Adds base for updating Microsoft.Network from version stable/2020-07-01 to version 2020-08-01

* Updates readme

* Updates API version in new specs and examples

* add patch operation for express route gateway (Azure#11553)

* add patch

* fix example

* Added new cloud service NIC and PIP APIs (Azure#11650)

Co-authored-by: Richa Jain <ricjain@microsoft.com>

* Adding support for Vpn Link Connection Mode (Azure#11574)

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* Reverting the changes made for address space update as the changes in service code are not in yet (Azure#11754)

Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>

* VPN NAT for Virtual WAN feature changes (Azure#11815)

* VPN NAT for Virtual WAN feature changes

* PrettierCheck fixes

* Incorporate review comments and update examples

* Add edge zone parameters for networking resources and add extendedLocation property to customIpPrefix (Azure#11933)

* Add extendedLocation property to customIpPrefix

* Fix the directory

* Address linting errors

* Fix another linting error

* Add edge zone parameter for network interfaces

* Looks like edgeZone parameter is working when creating network interfaces

* EdgeZone parameter for load balancer

* Add edge zone parameter for public IP address

* Add edge zone parameter for public IP prefix

* Add edgeZone parameter for virtual networks

* Add edge zone parameter for custom IP prefix

Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>

* Add location parameter to Loadbalancer Backend Address Pool Properties Format (Azure#11919)

* adding location parameter to backendaddresspoolpropertiesformat

* ran prettier

* Support for Listing IKE Security Associations for Virtual Network Gateway Connections (Azure#11572)

* Support to List IKE SAs on VNG Connection

* Updating GetIkeSas

* Update virtualNetworkGateway.json

* Added location headers

* Update virtualNetworkGateway.json

* Prettier fix

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* [Fix] GetIkeSas returns result as string (Azure#12225)

* Removing IkeSaParameters

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

* Update VirtualNetworkGatewayConnectionGetIkeSas.json

* Update virtualNetworkGateway.json

* Update VirtualNetworkGatewayConnectionGetIkeSas.json

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* Add extended location properties for private link service and private endpoints and remove edge zone properties (Azure#12039)

* Remove edge zone parameter

* Add extended location for private endpoint and private link service

* Add examples

* Capitalization

* Prettier

Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>

* Add missing properties of SecurityRule, Route and RouteTable (Azure#12215)

* Add missing properties of SecurityRule Route and RouteTable

* Set resourceGuid field to be read only

Co-authored-by: Xu Wang <wax@microsoft.com>

* Added placeholder instead of password (Azure#12299)

* resolving conflicts

* resolving conflicts

* new api version

* resolving conflicts

* fixing network validation

* running prettier

* fixing network valdiation

* fixing network valdiation

* Passing in the regions to backend

* changed the reference definition

Co-authored-by: Mikhail <mitryakh@microsoft.com>
Co-authored-by: nimaller <71352534+nimaller@users.noreply.github.com>
Co-authored-by: Richa Jain <richa.jain1912@gmail.com>
Co-authored-by: Richa Jain <ricjain@microsoft.com>
Co-authored-by: Abhishek Shah <shah.abhi7860@gmail.com>
Co-authored-by: Abhishek Shah <shabhis@microsoft.com>
Co-authored-by: Hari Prasad Perabattula <harics24@users.noreply.github.com>
Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>
Co-authored-by: Nilambari <nilamd@microsoft.com>
Co-authored-by: William Ehrich <wdehrich@gmail.com>
Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>
Co-authored-by: Kayden Wilkinson <69224099+Kawilki-M@users.noreply.github.com>
Co-authored-by: Xu Wang <wangxu724@gmail.com>
Co-authored-by: Xu Wang <wax@microsoft.com>

* Support for Listing IKE Security Associations for VPN Link Connections (Azure#12305)

* Adds base for updating Microsoft.Network from version stable/2020-07-01 to version 2020-08-01

* Updates readme

* Updates API version in new specs and examples

* add patch operation for express route gateway (Azure#11553)

* add patch

* fix example

* Added new cloud service NIC and PIP APIs (Azure#11650)

Co-authored-by: Richa Jain <ricjain@microsoft.com>

* Adding support for Vpn Link Connection Mode (Azure#11574)

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* Reverting the changes made for address space update as the changes in service code are not in yet (Azure#11754)

Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>

* VPN NAT for Virtual WAN feature changes (Azure#11815)

* VPN NAT for Virtual WAN feature changes

* PrettierCheck fixes

* Incorporate review comments and update examples

* Add edge zone parameters for networking resources and add extendedLocation property to customIpPrefix (Azure#11933)

* Add extendedLocation property to customIpPrefix

* Fix the directory

* Address linting errors

* Fix another linting error

* Add edge zone parameter for network interfaces

* Looks like edgeZone parameter is working when creating network interfaces

* EdgeZone parameter for load balancer

* Add edge zone parameter for public IP address

* Add edge zone parameter for public IP prefix

* Add edgeZone parameter for virtual networks

* Add edge zone parameter for custom IP prefix

Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>

* Add location parameter to Loadbalancer Backend Address Pool Properties Format (Azure#11919)

* adding location parameter to backendaddresspoolpropertiesformat

* ran prettier

* Support for Listing IKE Security Associations for Virtual Network Gateway Connections (Azure#11572)

* Support to List IKE SAs on VNG Connection

* Updating GetIkeSas

* Update virtualNetworkGateway.json

* Added location headers

* Update virtualNetworkGateway.json

* Prettier fix

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* [Fix] GetIkeSas returns result as string (Azure#12225)

* Removing IkeSaParameters

* Update custom-words.txt

* Update virtualNetworkGateway.json

* Update virtualNetworkGateway.json

* Update VirtualNetworkGatewayConnectionGetIkeSas.json

* Update virtualNetworkGateway.json

* Update VirtualNetworkGatewayConnectionGetIkeSas.json

Co-authored-by: Abhishek Shah <shabhis@microsoft.com>

* Add extended location properties for private link service and private endpoints and remove edge zone properties (Azure#12039)

* Remove edge zone parameter

* Add extended location for private endpoint and private link service

* Add examples

* Capitalization

* Prettier

Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>

* Add missing properties of SecurityRule, Route and RouteTable (Azure#12215)

* Add missing properties of SecurityRule Route and RouteTable

* Set resourceGuid field to be read only

Co-authored-by: Xu Wang <wax@microsoft.com>

* Added placeholder instead of password (Azure#12299)

* Adding getikesas for vpn link connections

* pretty fix

* Naming

* Update VpnSiteLinkConnectionGetIkeSas.json

* Update VpnSiteLinkConnectionGetIkeSas.json

* Changing API version

* Update readme.md

* Updating API version

* Removing changes from older API

* Update virtualWan.json

Co-authored-by: Mikhail <mitryakh@microsoft.com>
Co-authored-by: nimaller <71352534+nimaller@users.noreply.github.com>
Co-authored-by: Richa Jain <richa.jain1912@gmail.com>
Co-authored-by: Richa Jain <ricjain@microsoft.com>
Co-authored-by: Abhishek Shah <shabhis@microsoft.com>
Co-authored-by: Hari Prasad Perabattula <harics24@users.noreply.github.com>
Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>
Co-authored-by: Nilambari <nilamd@microsoft.com>
Co-authored-by: William Ehrich <wdehrich@gmail.com>
Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>
Co-authored-by: Kayden Wilkinson <69224099+Kawilki-M@users.noreply.github.com>
Co-authored-by: Xu Wang <wangxu724@gmail.com>
Co-authored-by: Xu Wang <wax@microsoft.com>

* Added 'Subnet' property to LoadBalancerBackendAddress (Azure#12625)

* Support for ResetConnection for VNG and VPN Link connections (Azure#12715)

* fix the name mismatch (Azure#12826)

* Add support for Traffic selector param in VpnConnection for virtualWan (Azure#12903)

* Add support for Traffic selector param in Connection - initial changes

* Add trafficSelectorPolicies list in responses

* Add trafficSelectorPolicies list in Get and List connection

* cleanup stostools (Azure#12699)

* Revert "Merge branch 'network-november-release' into ak-traffic-selector"

This reverts commit 1a8f61e3c4395f410d6ff16ee41da4d2eeb091b5, reversing
changes made to 3c90ff8ccb6c1e46c0480643906d6b5c5388e8c8.

Co-authored-by: Zhenglai Zhang <darinzh@microsoft.com>

* Revert "Add support for Traffic selector param in VpnConnection for virtualWan" (Azure#13088)

* Revert "Add support for Traffic selector param in VpnConnection for virtualWan (Azure#12903)"

This reverts commit 34dcf04f0ee453fa739ec2f790376a8decb5a3ab.

* cleanup stostools (Azure#12699)

Co-authored-by: Zhenglai Zhang <darinzh@microsoft.com>

* Re - Add support for Traffic selector param in VpnConnection for virtualWan (Azure#13103)

* Add support for Traffic selector param in Connection - initial changes

* Add trafficSelectorPolicies list in responses

* Add trafficSelectorPolicies list in Get and List connection

* add auth type property to vng config (Azure#13183)

* added reverted by mistake api version

* fixed mistyping

* Fix name mismatch for virtual network local gateway (Azure#13266)

* fix the name mismatch

* fix name mismatch in nov

Co-authored-by: nikhilpadhye1 <68977752+nikhilpadhye1@users.noreply.github.com>
Co-authored-by: Sai Sujith Reddy Mankala <samankal@microsoft.com>
Co-authored-by: nimaller <71352534+nimaller@users.noreply.github.com>
Co-authored-by: Richa Jain <richa.jain1912@gmail.com>
Co-authored-by: Richa Jain <ricjain@microsoft.com>
Co-authored-by: Abhishek Shah <shah.abhi7860@gmail.com>
Co-authored-by: Abhishek Shah <shabhis@microsoft.com>
Co-authored-by: Hari Prasad Perabattula <harics24@users.noreply.github.com>
Co-authored-by: Hari Prasad Perabattula <haperaba@microsoft.com>
Co-authored-by: Nilambari <nilamd@microsoft.com>
Co-authored-by: William Ehrich <wdehrich@gmail.com>
Co-authored-by: Will Ehrich <william.ehrich@microsoft.com>
Co-authored-by: Kayden Wilkinson <69224099+Kawilki-M@users.noreply.github.com>
Co-authored-by: Xu Wang <wangxu724@gmail.com>
Co-authored-by: Xu Wang <wax@microsoft.com>
Co-authored-by: irrogozh <irrogozh@microsoft.com>
Co-authored-by: Akshat Kale <kaleakshat@gmail.com>
Co-authored-by: litchiyangMSFT <64560090+litchiyangMSFT@users.noreply.github.com>
Co-authored-by: Zhenglai Zhang <darinzh@microsoft.com>
Co-authored-by: neethirshetty <75816269+neethirshetty@users.noreply.github.com>
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Azure.Identity blocking-release Blocks release bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants