[Snyk: High]dicer Denial of Service (DoS) (06/24/2022) [No remediation path available]

[cnlucas]

What we’re after

Detailed paths

Introduced through: openfec@1.0.0 › swagger-tools@0.10.4 › multer@1.4.4 › busboy@0.2.14 › dicer@0.2.5
Fix: No remediation path available. 

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Completion criteria

(What does the end state look like - as long as this task(s) is done, this work is complete)

• Check for remediation path and if not, we need to inform Security team

[cnlucas]

No remediation path still, moving forward

[pkfec]

@cnlucas swagger-tools is the package that needs to be updated to resolve this issue. swagger-tools was last updated 4 years ago (2018) is what the website says: https://www.npmjs.com/package/swagger-tools

You may want to check in our code if there are any references to dicer package (i believe we are not using at all). if not, we can report and close this issue

cc @patphongs @fec-jli

[cnlucas]

@pkfec I have alerted the security team about this issue. I only find instances in package-lock?

[Edited with new info] I tried upgrading multer and busboy, but without taking out swagger-tools nothing gets rid of the vulnerability. I tried just pulling out swagger-tools and everything is working fine. I'm currently trying to figure out how we are using it, because without it we remove all of our current vulnerabilities. There's no good option to replace everything it does, but if we are using a piece of it there are good options.