-
Notifications
You must be signed in to change notification settings - Fork 868
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz #1134
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
medium severity
Medium severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
v2.0.0
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by Mend
label
Jan 11, 2022
tmarkley
added
cve
Security vulnerabilities detected by Dependabot or Mend
medium severity
Medium severity CVE
labels
Jan 12, 2022
AMoo-Miki
pushed a commit
to AMoo-Miki/OpenSearch-Dashboards
that referenced
this issue
Feb 10, 2022
AMoo-Miki
pushed a commit
to AMoo-Miki/OpenSearch-Dashboards
that referenced
this issue
Feb 10, 2022
# [29.2.0](elastic/elastic-charts@v29.1.0...v29.2.0) (2021-05-25) ### Bug Fixes * **legend:** disable handleLabelClick for one legend item ([opensearch-project#1134](elastic/elastic-charts#1134)) ([e485174](elastic/elastic-charts@e485174)), closes [opensearch-project#1055](elastic/elastic-charts#1055) ### Features * **a11y:** add alt text for all chart types ([opensearch-project#1118](elastic/elastic-charts#1118)) ([e1c7489](elastic/elastic-charts@e1c7489)), closes [opensearch-project#1107](elastic/elastic-charts#1107) * **legend:** specify number of columns on floating legend ([opensearch-project#1159](elastic/elastic-charts#1159)) ([ed3736e](elastic/elastic-charts@ed3736e)), closes [opensearch-project#1158](elastic/elastic-charts#1158) * simple screenspace constraint solver ([opensearch-project#1141](elastic/elastic-charts#1141)) ([af9dd96](elastic/elastic-charts@af9dd96))
Will be fixed with #1239 |
7 tasks
7 tasks
tmarkley
pushed a commit
that referenced
this issue
Feb 22, 2022
* [CHANGELOG](https://github.com/digitalbazaar/forge/blob/v1.2.1/CHANGELOG.md) * The major version bump introduces breaking changes, but none of them apply to Dashboards. * Upgrades `@elastic/request-crypto` from `1.1.4` to `2.0.0` which has a downstream dependency on `node-forge`. * `@elastic/request-crypto` uses `node-jose@2.0.0` which still depends on `node-forge@0.10.0` so we need a manual resolution for `node-jose@2.1.0`. Resolves #1112 Resolves #1134 Signed-off-by: Tommy Markley <markleyt@amazon.com>
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
medium severity
Medium severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
v2.0.0
WS-2022-0008 - Medium Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: 1.2.1
The text was updated successfully, but these errors were encountered: