-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CCD-4237 CVE-2022-25901 Resolution added cookiejar ^2.1.4, yarn insta… (
#554) * CCD-4237 CVE-2022-25901 Resolution added cookiejar ^2.1.4, yarn install run, suppression removed * removing keep-helm label --------- Co-authored-by: lucianotmarsilio <luciano.marsilio@hmcts.net> Co-authored-by: James Collett <89016121+JamesCollettCGI@users.noreply.github.com>
- Loading branch information
1 parent
c2bd91a
commit 250b32b
Showing
3 changed files
with
6 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +0,0 @@ | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1088659,"path":"superagent>cookiejar","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]},{"version":"2.1.2","paths":["superagent>cookiejar","supertest-session>supertest>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1088659,"path":"supertest-session>supertest>superagent>cookiejar","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]},{"version":"2.1.2","paths":["superagent>cookiejar","supertest-session>supertest>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1088659,"path":"@hmcts/nodejs-healthcheck>superagent>cookiejar","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]},{"version":"2.1.2","paths":["superagent>cookiejar","supertest-session>supertest>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"}}} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters