Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772 #1947

Closed
petermetz opened this issue Mar 23, 2022 · 0 comments · Fixed by #1948
Closed

fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772 #1947

petermetz opened this issue Mar 23, 2022 · 0 comments · Fixed by #1948
Assignees
@petermetz
Labels
API_Server dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

Temporarily fix the issue by forcing the version to above 1.3.0 via resolutions.
We can update the direct dependencies of ours later as the patches come out.

https://github.com/hyperledger/cactus/security/dependabot/117

Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weaknesses
CWE-347
CVE ID
CVE-2022-24772
GHSA ID
GHSA-x4jg-mjrx-434g
@petermetz petermetz added API_Server dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities labels Mar 23, 2022
@petermetz petermetz self-assigned this Mar 23, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Mar 23, 2022
@petermetz
fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772
e52c3bb 
This is a temporary fix until our direct dependencies get patched
which we can update for ourselves. In the meantime this will force
the (currently considered) secure versions of node-forge to be used.

Fixes hyperledger-cacti#1947

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Mar 23, 2022
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Mar 24, 2022
@petermetz
fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772
850430b 
This is a temporary fix until our direct dependencies get patched
which we can update for ourselves. In the meantime this will force
the (currently considered) secure versions of node-forge to be used.

Fixes hyperledger-cacti#1947

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Mar 28, 2022
@petermetz
fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772
d7aa745 
This is a temporary fix until our direct dependencies get patched
which we can update for ourselves. In the meantime this will force
the (currently considered) secure versions of node-forge to be used.

Fixes hyperledger-cacti#1947

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Mar 28, 2022
@petermetz
fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772
38fe287 
This is a temporary fix until our direct dependencies get patched
which we can update for ourselves. In the meantime this will force
the (currently considered) secure versions of node-forge to be used.

Fixes #1947

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
API_Server dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(security): ensure node-forge > 1.3.0 for CVE-2022-24772 petermetz/cacti
1 participant
@petermetz