Snyk vulnerability [SNYK-JS-AXIOS-6032459]

[github-actions]

Affecting Packages/Plugins

• root
• example-app
• example-app-next
• @backstage/plugin-circleci

Overview

axios is a promise-based HTTP client for the browser and Node.js.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

Workaround

Users should change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary.

Remediation

Upgrade axios to version 1.6.0 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Issue
• GitHub PR

[Rugvip]

Appreciate any help with this one. We're treating it as low prio since it doesn't affect us

[HChenCBRE]

@Rugvip here is a PR to resolve the axios issue from auth-backend
#21664

[sbarrypoppulo]

axios has been bumped to ^1.0.0 in here. I'll submit a PR to bump the @trendyol-js/openstack-swift-sdk dependency to ^0.0.7 in @backstage/techdocs-node, similar to this.

I'll also poke around the other reported packages depending on older axios and see that I can dig up.

[sbarrypoppulo]

Upgrading @useoptic/optic to ^0.53.5+ should resolve older axios version via the analytics-node dependency being upgraded here - opticdev/optic#2558

Not sure if Renovate should have re-raised a PR - #21543 (likely will when 0.54.0 is released?)

[sbarrypoppulo]

yarn why axios 
├─ @backstage/plugin-opencost@workspace:plugins/opencost
│  └─ axios@npm:1.6.5 (via npm:^1.4.0)
│
├─ @openapitools/openapi-generator-cli@npm:2.9.0
│  └─ axios@npm:1.6.5 (via npm:1.6.5)
│
├─ @swagger-api/apidom-reference@npm:0.92.0
│  └─ axios@npm:1.6.5 (via npm:^1.4.0)
│
├─ @trendyol-js/openstack-swift-sdk@npm:0.0.7
│  └─ axios@npm:1.6.5 (via npm:^1.0.0)
│
├─ analytics-node@npm:6.2.0
│  └─ axios@npm:0.27.2 (via npm:^0.27.2)
│
├─ circleci-api@npm:4.1.4
│  └─ axios@npm:0.21.4 (via npm:^0.21.1)
│
└─ passport-auth0@npm:1.4.4
   └─ axios@npm:1.6.5 (via npm:^1.6.0)

[sbarrypoppulo]

https://github.com/worldturtlemedia/circleci-api seems pretty much unmaintained 😢 Last release ~3 years ago

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.