Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bot] docs: Update Snyk report #20052

Merged
merged 1 commit into from
Sep 24, 2024
Merged

[Bot] docs: Update Snyk report #20052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 21 additions & 7 deletions docs/snyk/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,21 +14,35 @@ recent minor releases.
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](master/argocd-test.html) | 0 | 0 | 1 | 0 |
| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.41.1](master/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 |
| [haproxy:2.6.17-alpine](master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 |
| [redis:7.0.15-alpine](master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 4 | 8 |
| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 8 |
| [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |

### v2.13.0-rc2

| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.13.0-rc2/argocd-test.html) | 0 | 0 | 1 | 0 |
| [ui/yarn.lock](v2.13.0-rc2/argocd-test.html) | 0 | 0 | 1 | 0 |
| [dex:v2.41.1](v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 |
| [haproxy:2.6.17-alpine](v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 |
| [redis:7.0.15-alpine](v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [argocd:v2.13.0-rc2](v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html) | 0 | 0 | 3 | 8 |
| [redis:7.0.15-alpine](v2.13.0-rc2/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](v2.13.0-rc2/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.13.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - |

### v2.12.3

| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 1 | 2 | 0 |
| [dex:v2.38.0](v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 |
| [haproxy:2.6.17-alpine](v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 |
| [redis:7.0.15-alpine](v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
Expand All @@ -42,10 +56,10 @@ recent minor releases.
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.11.8/argocd-test.html) | 0 | 1 | 3 | 0 |
| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 1 | 2 | 0 |
| [dex:v2.38.0](v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 |
| [haproxy:2.6.14-alpine](v2.11.8/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 |
| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 7 | 16 |
| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 8 | 16 |
| [redis:7.0.15-alpine](v2.11.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](v2.11.8/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.11.8/argocd-iac-namespace-install.html) | - | - | - | - |
Expand All @@ -55,10 +69,10 @@ recent minor releases.
| | Critical | High | Medium | Low |
|---:|:--------:|:----:|:------:|:---:|
| [go.mod](v2.10.16/argocd-test.html) | 0 | 1 | 4 | 0 |
| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 0 | 2 | 0 |
| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 1 | 2 | 0 |
| [dex:v2.37.0](v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 6 |
| [haproxy:2.6.14-alpine](v2.10.16/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 |
| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 11 | 20 |
| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 12 | 20 |
| [redis:7.0.15-alpine](v2.10.16/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 |
| [install.yaml](v2.10.16/argocd-iac-install.html) | - | - | - | - |
| [namespace-install.yaml](v2.10.16/argocd-iac-namespace-install.html) | - | - | - | - |
2 changes: 1 addition & 1 deletion docs/snyk/master/argocd-iac-install.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:20:57 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:21:06 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/argocd-iac-namespace-install.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:21:06 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:21:16 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
Expand Down
89 changes: 8 additions & 81 deletions docs/snyk/master/argocd-test.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
<meta name="description" content="2 known vulnerabilities found in 4 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
Expand Down Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:18:53 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:18:54 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
Expand All @@ -467,8 +467,8 @@ <h1 class="project__header__title">Snyk test report</h1>
</div>

<div class="meta-counts">
<div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>5 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>4 vulnerable dependency paths</span></div>
<div class="meta-count"><span>2132</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
Expand Down Expand Up @@ -561,7 +561,7 @@ <h3 class="card__section__title">Detailed paths</h3>
<h2 id="overview">Overview</h2>
<p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression <code>/^\/([^\/]+?)-([^\/]+?)\/?$/</code>, if two parameters within a single segment are separated by a character other than a <code>/</code> or <code>.</code>. Poor performance will block the event loop and can lead to a DoS.</p>
<p><strong>Note:</strong>
Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.</p>
While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the <code>strict</code> option, which returns an error if a dangerous regular expression is detected.</p>
<h2 id="workaround">Workaround</h2>
<p>This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes <code>-</code> and <code>/</code>.</p>
<h2 id="poc">PoC</h2>
Expand Down Expand Up @@ -629,11 +629,13 @@ <h2 id="details">Details</h2>
</tbody></table>
<p>By the time the string includes 14 C&#39;s, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>path-to-regexp</code> to version 8.0.0 or higher.</p>
<p>Upgrade <code>path-to-regexp</code> to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f">GitHub Commit</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6">GitHub Commit</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/commit/f73ec6c86b06f544b977119c2b62a16de480a6a9">GitHub Commit</a></li>
<li><a href="https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0">Strict Mode Release Note</a></li>
<li><a href="https://blakeembrey.com/posts/2024-09-web-redos/">Vulnerability Write-up</a></li>
</ul>

Expand Down Expand Up @@ -735,81 +737,6 @@ <h2 id="references">References</h2>
</div>

</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium">
<h2 class="card__title">Template Injection</h2>
<div class="card__section">

<div class="label label--medium">
<span class="label__text">medium severity</span>
</div>

<hr/>

<ul class="card__meta">
<li class="card__meta__item">
Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock
</li>
<li class="card__meta__item">
Package Manager: npm
</li>
<li class="card__meta__item">
Vulnerable module:

dompurify
</li>

<li class="card__meta__item">Introduced through:


argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others
</li>
</ul>

<hr/>


<h3 class="card__section__title">Detailed paths</h3>

<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
argo-cd-ui@1.0.0
<span class="list-paths__item__arrow">›</span>
redoc@2.0.0-rc.64
<span class="list-paths__item__arrow">›</span>
dompurify@2.3.6

</span>

</li>
</ul><!-- .list-paths -->

</div><!-- .card__section -->

<hr/>
<!-- Overview -->
<h2 id="overview">Overview</h2>
<p><a href="https://github.com/cure53/DOMPurify">dompurify</a> is a DOM-only XSS sanitizer for HTML, MathML and SVG.</p>
<p>Affected versions of this package are vulnerable to Template Injection in <code>purify.js</code>, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML <code>CDATA</code> blocks.</p>
<h2 id="poc">PoC</h2>
<pre><code>&lt;![CDATA[ &gt;&lt;img src onerror=alert(1)&gt; ]]&gt;
</code></pre>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>dompurify</code> to version 2.4.9, 3.0.11 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/cure53/DOMPurify/commit/0940755eacc86e48fd57ee90e9238964034c49b7">GitHub Commit</a></li>
<li><a href="https://github.com/cure53/DOMPurify/commit/c60a4dfdabc50fe67b758f1efff8c03d2b8c5472">GitHub Commit</a></li>
<li><a href="https://flatt.tech/research/posts/bypassing-dompurify-with-good-old-xml/">Vulnerability Report</a></li>
</ul>

<hr/>

<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-JS-DOMPURIFY-6474511">More about this vulnerability</a></p>
</div>

</div><!-- .card -->
</div><!-- cards -->
</div>
</main><!-- .layout-stacked__content -->
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:19:03 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:19:01 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:19:08 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:19:15 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
Expand Down
2 changes: 1 addition & 1 deletion docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>

<p class="timestamp">September 15th 2024, 12:19:12 am (UTC+00:00)</p>
<p class="timestamp">September 22nd 2024, 12:19:21 am (UTC+00:00)</p>
</div>
<div class="source-panel">
<span>Scanned the following paths:</span>
Expand Down
Loading