Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability: CVE-2022-39299 #4399

Closed
Zebin-Zhou opened this issue Dec 28, 2022 · 1 comment
Closed

Security vulnerability: CVE-2022-39299 #4399

Zebin-Zhou opened this issue Dec 28, 2022 · 1 comment
Assignees
@JuanAr
Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Issue is created by anyone that is not a collaborator in the repository. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report.

Comments

@Zebin-Zhou
Copy link

Zebin-Zhou commented Dec 28, 2022
edited
Loading

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the documentElementor reject a document with a document that has more then 1 childNode.

The xmldom is found in botframework-connector@4.18.0:
image
@Zebin-Zhou Zebin-Zhou added bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team. labels Dec 28, 2022
@Zebin-Zhou Zebin-Zhou mentioned this issue Dec 28, 2022
Open
@tracyboehrer tracyboehrer added ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report. customer-reported Issue is created by anyone that is not a collaborator in the repository. Bot Services Required for internal Azure reporting. Do not delete. Do not change color. and removed needs-triage The issue has just been created and it has not been reviewed by the team. labels Jan 9, 2023
@sw-joelmut
Copy link
Collaborator

Reviewing this issue, we found out that the xmldom security vulnerability (CVE-2022-39353) is already fixed by the PR #4365 and applied to the latest 4.19.0 version (source code).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JuanAr JuanAr

Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Issue is created by anyone that is not a collaborator in the repository. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JuanAr @tracyboehrer @johnataylor @sw-joelmut @Zebin-Zhou