Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in depencies (xmldom) #234

Closed
pavelkalin opened this issue Apr 7, 2021 · 6 comments
Closed

Vulnerability in depencies (xmldom) #234

pavelkalin opened this issue Apr 7, 2021 · 6 comments

Comments

@pavelkalin
Copy link

Could you please update to version 0.5.0 or later as per https://www.npmjs.com/advisories/1650

Thank you!
@servicesarchitecturemanager
Copy link

is this issue exploitable in Clever/saml2

@Chocobozzz
Copy link

is this issue exploitable in Clever/saml2

It seems so: https://mattermost.com/blog/securing-xml-implementations-across-the-web/

@rmobis
Copy link

rmobis commented Oct 4, 2021

As per xmldom/xmldom#271 (and in order to stay safe from a vulnerability in 0.6.0), the recommended now would be to update to @xmldom/xmldom@^0.7.0.

@dsuarezlogans dsuarezlogans mentioned this issue Oct 4, 2021
Closed
@dbauszus-glx
Copy link
Contributor

Should be resolved once this is merged. #245

There is a xmldom 0.8.0 release. Might be wirth using the latest version now.

@rparpa
Copy link

rparpa commented Oct 14, 2022

Don't know if it has been already posted elsewhere, but you can fix the vulnerability issue by overriding the used xmldom:

package.json

{
  "dependencies": {
    "saml2-js": "^3.0.1"
  },
  "overrides": {
    "saml2-js": {
      "xmldom": "npm:@xmldom/xmldom@^0.8.3"
    }
  }
}

At the moment, it seems to work fine with this override in my case.

mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Updates xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
f4e9daa 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Updates xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
10754d4 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
bc010fb 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
2c313bc 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
9299ffa 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
6e9acf5 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
e8b6f34 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
3715385 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
3a1e160 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
5ed056b 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
cfb5ce4 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
@mcab
Copy link
Member

mcab commented Oct 15, 2022

Addressed in #261.

@mcab mcab closed this as completed Oct 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rmobis @rparpa @mcab @Chocobozzz @pavelkalin @dbauszus-glx @servicesarchitecturemanager