-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(security): CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1 #2228
Labels
bug
Something isn't working
dependencies
Pull requests that update a dependency file
dependent
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
Comments
petermetz
added
bug
Something isn't working
dependencies
Pull requests that update a dependency file
Security
Related to existing or potential security vulnerabilities
labels
Dec 8, 2022
This PR/issue depends on:
|
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Dec 8, 2022
To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: Depends on hyperledger-cacti#2229 Fixes hyperledger-cacti#2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Dec 9, 2022
To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: - Upgraded Artillery from v1.7.1 to v1.7.9 Depends on hyperledger-cacti#2229 Fixes hyperledger-cacti#2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Jul 16, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its transitive dependence on socket.io-parser. To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: - Upgraded Artillery from v1.7.1 to v1.7.9 Depends on hyperledger-cacti#2229 Fixes hyperledger-cacti#2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Jul 16, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its transitive dependence on socket.io-parser. To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: - Upgraded Artillery from v1.7.1 to v1.7.9 Depends on hyperledger-cacti#2229 Fixes hyperledger-cacti#2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
that referenced
this issue
Jul 16, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its transitive dependence on socket.io-parser. To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: - Upgraded Artillery from v1.7.1 to v1.7.9 Depends on #2229 Fixes #2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES
pushed a commit
to sandeepnRES/cacti
that referenced
this issue
Dec 21, 2023
Project-wide update of socket-io was necessary to 4.5.4 because of its transitive dependence on socket.io-parser. To completely get rid of all instances of the vulnerable versions, we also have to upgrade the example application's Angular versions: - Upgraded Artillery from v1.7.1 to v1.7.9 Depends on hyperledger-cacti#2229 Fixes hyperledger-cacti#2228 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
dependencies
Pull requests that update a dependency file
dependent
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
Description
Depends on #2229
Severity
Critical 9.8 / 10
Weaknesses
CWE-20
CWE-1287
CVE ID
CVE-2022-2421
GHSA ID
GHSA-qm95-pgcg-qqfq
Upgrade socket.io-parser to fix 2 Dependabot alerts in yarn.lock
Upgrade socket.io-parser to version 4.2.1 or later. For example:
socket.io-parser@^4.2.1:
version "4.2.1"
https://github.com/hyperledger/cactus/security/dependabot/258
The text was updated successfully, but these errors were encountered: