Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz #1134

Closed
mend-for-github-com bot opened this issue Jan 11, 2022 · 1 comment · Fixed by #1239
Closed

WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz #1134

mend-for-github-com bot opened this issue Jan 11, 2022 · 1 comment · Fixed by #1239
Assignees
@tmarkley
Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Jan 11, 2022
edited
Loading

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

  • node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: 1.2.1
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 11, 2022
@tmarkley tmarkley added cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE labels Jan 12, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@rshen91
fix(legend): disable handleLabelClick for one legend item (opensearch…
e485174 
…-project#1134)

Fixes opensearch-project#1055
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@semantic-release-bot
chore(release): 29.2.0 [skip ci]
ccd72c3 
# [29.2.0](elastic/elastic-charts@v29.1.0...v29.2.0) (2021-05-25)

### Bug Fixes

* **legend:** disable handleLabelClick for one legend item ([opensearch-project#1134](elastic/elastic-charts#1134)) ([e485174](elastic/elastic-charts@e485174)), closes [opensearch-project#1055](elastic/elastic-charts#1055)

### Features

* **a11y:** add alt text for all chart types  ([opensearch-project#1118](elastic/elastic-charts#1118)) ([e1c7489](elastic/elastic-charts@e1c7489)), closes [opensearch-project#1107](elastic/elastic-charts#1107)
* **legend:** specify number of columns on floating legend ([opensearch-project#1159](elastic/elastic-charts#1159)) ([ed3736e](elastic/elastic-charts@ed3736e)), closes [opensearch-project#1158](elastic/elastic-charts#1158)
* simple screenspace constraint solver ([opensearch-project#1141](elastic/elastic-charts#1141)) ([af9dd96](elastic/elastic-charts@af9dd96))
@tmarkley tmarkley self-assigned this Feb 21, 2022
@tmarkley
Copy link
Contributor

tmarkley commented Feb 21, 2022
edited
Loading

Will be fixed with #1239

@tmarkley tmarkley linked a pull request Feb 22, 2022 that will close this issue
Upgrades node-forge from v0.10.0 to v1.2.1 #1239
Merged
7 tasks
@tmarkley tmarkley mentioned this issue Feb 22, 2022
Merged
7 tasks
tmarkley pushed a commit that referenced this issue Feb 22, 2022
Upgrades node-forge from v0.10.0 to v1.2.1 (#1239)
15b561e 
* [CHANGELOG](https://github.com/digitalbazaar/forge/blob/v1.2.1/CHANGELOG.md)
* The major version bump introduces breaking changes, but none of them
apply to Dashboards.
* Upgrades `@elastic/request-crypto` from `1.1.4` to `2.0.0` which has
a downstream dependency on `node-forge`.
  * `@elastic/request-crypto` uses `node-jose@2.0.0` which still depends
  on `node-forge@0.10.0` so we need a manual resolution for
  `node-jose@2.1.0`.

Resolves #1112
Resolves #1134 

Signed-off-by: Tommy Markley <markleyt@amazon.com>
@ZilongX ZilongX mentioned this issue Sep 29, 2022
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmarkley tmarkley

Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrades node-forge from v0.10.0 to v1.2.1 tmarkley/OpenSearch-Dashboards
1 participant
@tmarkley