Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz - autoclosed #1842

Closed
mend-for-github-com bot opened this issue Jul 3, 2022 · 5 comments · Fixed by #2054
Closed

CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz - autoclosed #1842

mend-for-github-com bot opened this issue Jul 3, 2022 · 5 comments · Fixed by #2054
Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.6.0

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Jul 3, 2022

CVE-2022-25758 - High Severity Vulnerability

Vulnerable Library - scss-tokenizer-0.2.3.tgz

A tokenzier for Sass' SCSS syntax

Library home page: https://registry.npmjs.org/scss-tokenizer/-/scss-tokenizer-0.2.3.tgz

Dependency Hierarchy:

  • @osd/ui-framework-1.0.0.tgz (Root Library)
    • node-sass-6.0.1.tgz
      • sass-graph-2.2.5.tgz
        • scss-tokenizer-0.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

Publish Date: 2022-07-01

URL: CVE-2022-25758

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25758

Release Date: 2022-07-01

Fix Resolution: no_fix

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jul 3, 2022
@kavilla
Copy link
Member

kavilla commented Jul 5, 2022

yarn why scss-tokenizer
yarn why v1.22.18
[1/4] Why do we have the module "scss-tokenizer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "scss-tokenizer@0.2.3"
info Reasons this module exists
   - "_project_#@osd#ui-framework#node-sass#sass-graph" depends on it
   - Hoisted from "_project_#@osd#ui-framework#node-sass#sass-graph#scss-tokenizer"

@kavilla kavilla added medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jul 5, 2022
@mend-for-github-com mend-for-github-com bot changed the title CVE-2022-25758 (Medium) detected in scss-tokenizer-0.2.3.tgz CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz Jul 13, 2022
@kavilla kavilla linked a pull request Aug 2, 2022 that will close this issue
7 tasks
kavilla pushed a commit that referenced this issue Aug 12, 2022
https://github.com/opensearch-project/OpenSearch-Dashboards/security/dependabot/62

This PR fixes the Regular expression denial of service in scss-tokenizer, use dart-sass instead of node-sass.
The node-sass are deprecated, the detail here.
https://www.npmjs.com/package/node-sass

The suggested solution (#535) is that use dart-sass instead of node-sass

* use dart-sass instead of node-sass
* Update basic_optimization.test snapshot
* use compressed as outputsytle and fixes yarn.lock
* minimize yarn.lock changes

Issues Resolved:
#1842
#535

Signed-off-by: Tao liu <liutaoaz@amazon.com>
@ananzh ananzh reopened this Feb 17, 2023
@ananzh
Copy link
Member

ananzh commented Feb 17, 2023

  • main has no issue
  • 2.x is on 0.2.3
yarn why scss-tokenizer
yarn why v1.22.19
[1/4] Why do we have the module "scss-tokenizer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "scss-tokenizer@0.2.3"
info Reasons this module exists
   - "_project_#@osd#optimizer#node-sass#sass-graph" depends on it
   - Hoisted from "_project_#@osd#optimizer#node-sass#sass-graph#scss-tokenizer"
info Disk size without dependencies: "432KB"
info Disk size with unique dependencies: "1.27MB"
info Disk size with transitive dependencies: "1.27MB"
info Number of shared dependencies: 2
Done in 1.04s.

@ananzh
Copy link
Member

ananzh commented Feb 17, 2023

Possible solutions:

@ananzh
Copy link
Member

ananzh commented Feb 17, 2023

  • Option 1

Screenshot 2023-02-17 at 12 43 13

yarn start error

Node Sass version 7.0.3 is incompatible with ^4.0.0 || ^5.0.0 || ^6.0.0.
       │          Error: Node Sass version 7.0.3 is incompatible with ^4.0.0 || ^5.0.0 || ^6.0.0.
       │              at getSassImplementation (/home/ubuntu/work/OpenSearch-Dashboards/node_modules/sass-loader/dist/utils.js:92:31)

This is because sass-loader 10.2.1 doesn't support node-sass v7. Could try to bump it 10.4.1:
support node-sass v8 (webpack-contrib/sass-loader#1103) (88735bc)

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
opensearch-project#1067
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
…der to 10.4.1 in 2.x

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
opensearch-project#1067
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
…der to 10.4.1 in 2.x

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
opensearch-project#1067
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
…der to 10.4.1 in 2.x

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
opensearch-project#1067
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
…der to 10.4.1 in 2.x

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
opensearch-project#1067
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit that referenced this issue Feb 18, 2023
…der to 10.4.1 in 2.x (#3455)

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
#1067
#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@mend-for-github-com mend-for-github-com bot changed the title CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz - autoclosed Feb 18, 2023
@mend-for-github-com
Copy link
Author

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
Issue Resolve
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
Issue Resolve
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
Issue Resolve
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
Issue Resolve
opensearch-project#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
abbyhu2000 pushed a commit that referenced this issue Apr 5, 2023
Issue Resolve
#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this issue Apr 5, 2023
Issue Resolve
#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 5d4fdd2)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
ananzh pushed a commit that referenced this issue Apr 5, 2023
…3789)

Issue Resolve
#1842

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 5d4fdd2)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.6.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants