Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1 #2228

Closed
petermetz opened this issue Dec 8, 2022 · 1 comment · Fixed by #2230
Closed

fix(security): CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1 #2228

petermetz opened this issue Dec 8, 2022 · 1 comment · Fixed by #2230
Assignees
Labels
bug Something isn't working dependencies Pull requests that update a dependency file dependent P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

petermetz commented Dec 8, 2022

Description

Depends on #2229

Severity
Critical 9.8 / 10

Weaknesses
CWE-20
CWE-1287
CVE ID
CVE-2022-2421
GHSA ID
GHSA-qm95-pgcg-qqfq

Upgrade socket.io-parser to fix 2 Dependabot alerts in yarn.lock
Upgrade socket.io-parser to version 4.2.1 or later. For example:

socket.io-parser@^4.2.1:
version "4.2.1"

https://github.com/hyperledger/cactus/security/dependabot/258

@petermetz petermetz added bug Something isn't working dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities labels Dec 8, 2022
@petermetz petermetz self-assigned this Dec 8, 2022
@github-actions
Copy link

github-actions bot commented Dec 8, 2022

This PR/issue depends on:

petermetz added a commit to petermetz/cacti that referenced this issue Dec 8, 2022
To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz added the P1 Priority 1: Highest label Dec 8, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Dec 9, 2022
To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jul 16, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jul 16, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Jul 16, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on #2229

Fixes #2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this issue Dec 21, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working dependencies Pull requests that update a dependency file dependent P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant