Security issue with v8.6.1 #1903
Comments
|
Where is the attack vector? |
|
Sorry, all I know is what Snyk says, and just wanted to let people here know, just in case. |
We are indeed turning down our security monitoring across a wide range of projects, owing to Bunyan, which we hope indeed is not actually a clear vector in. Our security monitoring is giving us two other alerts that we are for now muting:
In general, it feels like it'd be super nice & everyone could sleep better if we could move from a conservative stance ("Where is the attack vector?" which we all have to re-convince ourselves on in isolation) to a "Let's upgrade it if we can" (so no teams have to think about each vulnerability) mentality. At least when there are upgrades available, just doing the work would be great. I'll try to help get the ball rolling some & submit some PRs. Good news: bunyan is at the root of 3/4 issues here, and is replaced by pino in #1841. #1889 upgraded http-signatures to 1.3.6 which is not vulnerable. We just need a release: #1844. 🎉 |
Snyk flagged this as a security vulnerability:
restify@8.6.1 › bunyan@1.8.14 › moment@2.29.1
restify-plugins@1.6.0 › bunyan@1.8.14 › moment@2.29.1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://cwe.mitre.org/data/definitions/22.html
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24785
The text was updated successfully, but these errors were encountered: