Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:Medium] node-fetch Denial of Service (DoS) (due by 03/20/2022) #5029

Closed
1 task
Tracked by #137
fec-jli opened this issue Jan 19, 2022 · 1 comment
Closed
1 task
Tracked by #137

[Snyk:Medium] node-fetch Denial of Service (DoS) (due by 03/20/2022) #5029

fec-jli opened this issue Jan 19, 2022 · 1 comment
Assignees
@patphongs
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 17.4

Comments

@fec-jli
Copy link
Contributor

fec-jli commented Jan 19, 2022
edited by patphongs

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/#issue-SNYK-JS-NODEFETCH-2342118

Introduced through:

Introduced through
Introduced through: fec-cms@1.0.0 › draft-js@0.11.7 › fbjs@2.0.0 › cross-fetch@3.0.6 › node-fetch@2.6.1

Completion criteria:

  • Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.
@fec-jli fec-jli added the Security: moderate Remediate within 60 days label Jan 19, 2022
@fec-jli fec-jli mentioned this issue Jan 19, 2022
Closed
@JonellaCulmer JonellaCulmer added this to the Sprint 17.4 milestone Jan 19, 2022
@patphongs patphongs mentioned this issue Jan 27, 2022
Closed
1 task
@cnlucas cnlucas mentioned this issue Feb 2, 2022
Closed
@hcaofec hcaofec mentioned this issue Feb 9, 2022
Closed
1 task
@patphongs patphongs mentioned this issue Feb 16, 2022
Closed
@pkfec pkfec mentioned this issue Feb 23, 2022
Closed
@patphongs patphongs removed their assignment Feb 24, 2022
@patphongs patphongs modified the milestones: Sprint 17.3, Sprint 17.4 Feb 24, 2022
@JonellaCulmer JonellaCulmer changed the title [Snyk:Medium] pillow Denial of Service (DoS) (due by 03/20/2022) [Snyk:Medium] node-fetch Denial of Service (DoS) (due by 03/20/2022) Mar 1, 2022
@patphongs
Copy link
Member

The use of this is within the draft-js package, which is being used within our authenticated CMS system. Therefore, this vulnerability does not really effect us.

@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patphongs patphongs

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 17.4
Development

No branches or pull requests
3 participants
@patphongs @fec-jli @JonellaCulmer