Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-37601 found on trivy scan cypress version is 13.3.3 #28208

Closed
eagle-txec opened this issue Nov 1, 2023 · 8 comments · Fixed by #30159
Closed

CVE-2022-37601 found on trivy scan cypress version is 13.3.3 #28208

eagle-txec opened this issue Nov 1, 2023 · 8 comments · Fixed by #30159
Labels
type: security 🔐 Security related

Comments

@eagle-txec
Copy link

Current behavior

installed version is 1.4.0

Desired behavior

Upgrade fix version is 2.0.3

Test code to reproduce

Cypress Version

13.3.3

Node version

16.20.2

Operating System

Debug Logs

"VulnerabilityID": "CVE-2022-37601",
          "InstalledVersion": "1.4.0",
          "LastModifiedDate": "2023-02-28T15:02:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 8.1,
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "loader-utils@1.4.0",
          "Title": "prototype pollution in function parseQuery in parseQuery.js",
          "CweIDs": [
            "CWE-1321"
          ],
          "Status": "fixed",
          "PkgName": "loader-utils",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/loader-utils/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-37601",
          "References": [
            "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf",
            "https://access.redhat.com/security/cve/CVE-2022-37601",
            "https://dl.acm.org/doi/abs/10.1145/3488932.3497769",
            "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769",
            "https://github.com/webpack/loader-utils",
            "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L11",
            "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/parseQuery.js#L47",
            "https://github.com/webpack/loader-utils/commit/4504e34c4796a5836ef70458327351675aed48a5",
            "https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c",
            "https://github.com/webpack/loader-utils/commit/f4e48a232fae900237c3e5ff7b57ce9e1c734de1",
            "https://github.com/webpack/loader-utils/issues/212",
            "https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884",
            "https://github.com/webpack/loader-utils/pull/217",
            "https://github.com/webpack/loader-utils/pull/220",
            "https://github.com/webpack/loader-utils/releases/tag/v1.4.1",
            "https://github.com/webpack/loader-utils/releases/tag/v2.0.3",
            "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826",
            "https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-37601",
            "https://www.cve.org/CVERecord?id=CVE-2022-37601"
          ],
          "Description": "Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.",
          "FixedVersion": "2.0.3, 1.4.1",
          "PublishedDate": "2022-10-12T20:15:00Z",

Other
@cypress-app-bot
Copy link
Collaborator

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

@cypress-app-bot cypress-app-bot added the stale no activity on this issue for a long period label Apr 30, 2024
@cypress-app-bot
Copy link
Collaborator

This issue has been closed due to inactivity.

@cypress-app-bot cypress-app-bot closed this as not planned Won't fix, can't repro, duplicate, stale May 14, 2024
@shank1290
Copy link

@cypress-app-bot this issue still exists with cypress 13.7.3

@jennifer-shehane jennifer-shehane added type: security 🔐 Security related and removed stale no activity on this issue for a long period labels May 16, 2024
@pwhite1989
Copy link

This is still an issue on 13.9.0

@MikeMcC399 MikeMcC399 mentioned this issue Jun 13, 2024
Closed
@MikeMcC399
Copy link
Contributor

To reproduce report, use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0

@jennifer-shehane
Copy link
Member

yarn why loader-utils. The loader-utils 1.4.0 needs to be updated to 1.4.1

=> Found "loader-utils@1.4.0"
info Has been hoisted to "loader-utils"
info Reasons this module exists
   - "workspace-aggregator-c070eab9-5a0d-4713-97d9-195f8feb7a6c" depends on it
   - Hoisted from "_project_#@packages#web-config#arraybuffer-loader#loader-utils"
   - Hoisted from "_project_#@packages#web-config#css-modules-typescript-loader#loader-utils"
   - Hoisted from "_project_#@cypress#webpack-dev-server#html-webpack-plugin-4#loader-utils"
   - Hoisted from "_project_#@cypress#webpack-dev-server#webpack-4#loader-utils"
info Disk size without dependencies: "172KB"
info Disk size with unique dependencies: "564KB"
info Disk size with transitive dependencies: "564KB"
info Number of shared dependencies: 3
=> Found "resolve-url-loader#loader-utils@2.0.3"
info This module exists because "_project_#@packages#web-config#resolve-url-loader" depends on it.
info Disk size without dependencies: "88KB"
info Disk size with unique dependencies: "480KB"
info Disk size with transitive dependencies: "480KB"
info Number of shared dependencies: 3
=> Found "adjust-sourcemap-loader#loader-utils@2.0.3"
info This module exists because "_project_#@packages#web-config#resolve-url-loader#adjust-sourcemap-loader" depends on it.
info Disk size without dependencies: "88KB"
info Disk size with unique dependencies: "480KB"
info Disk size with transitive dependencies: "480KB"
info Number of shared dependencies: 3

@MikeMcC399 MikeMcC399 mentioned this issue Jul 3, 2024
Open
@MikeMcC399 MikeMcC399 mentioned this issue Sep 1, 2024
Merged
@MikeMcC399
Copy link
Contributor

@MikeMcC399 MikeMcC399 mentioned this issue Sep 24, 2024
Merged
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Sep 25, 2024

Released in 13.15.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v13.15.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Sep 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: security 🔐 Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

dependency: update loader-utils to 1.4.2 MikeMcC399/cypress
6 participants
@jennifer-shehane @pwhite1989 @shank1290 @MikeMcC399 @cypress-app-bot @eagle-txec