Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1 #2228

Closed
petermetz opened this issue Dec 8, 2022 · 1 comment · Fixed by #2230
Closed

fix(security): CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1 #2228

petermetz opened this issue Dec 8, 2022 · 1 comment · Fixed by #2230
Assignees
@petermetz
Labels
bug Something isn't working dependencies Pull requests that update a dependency file dependent P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

petermetz commented Dec 8, 2022
edited
Loading

Description

Depends on #2229

Severity
Critical 9.8 / 10

Weaknesses
CWE-20
CWE-1287
CVE ID
CVE-2022-2421
GHSA ID
GHSA-qm95-pgcg-qqfq

Upgrade socket.io-parser to fix 2 Dependabot alerts in yarn.lock
Upgrade socket.io-parser to version 4.2.1 or later. For example:

socket.io-parser@^4.2.1:
version "4.2.1"

https://github.com/hyperledger/cactus/security/dependabot/258
@petermetz petermetz added bug Something isn't working dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities labels Dec 8, 2022
@petermetz petermetz self-assigned this Dec 8, 2022
@petermetz petermetz mentioned this issue Dec 8, 2022
Closed
@github-actions
Copy link

github-actions bot commented Dec 8, 2022

This PR/issue depends on:

petermetz added a commit to petermetz/cacti that referenced this issue Dec 8, 2022
@petermetz
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
5f82a69 
To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Dec 8, 2022
Merged
@petermetz petermetz added the P1 Priority 1: Highest label Dec 8, 2022
@petermetz petermetz mentioned this issue Dec 8, 2022
Closed
petermetz added a commit to petermetz/cacti that referenced this issue Dec 9, 2022
@petermetz
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
2ae862f 
To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jul 16, 2023
@petermetz
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
1818915 
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Jul 16, 2023
@petermetz
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
b68a5d6 
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Jul 16, 2023
@petermetz
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
9172172 
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on #2229

Fixes #2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this issue Dec 21, 2023
@petermetz @sandeepnRES
fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1
abec3c1 
Project-wide update of socket-io was necessary to 4.5.4 because of its
transitive dependence on socket.io-parser.

To completely get rid of all instances of the vulnerable versions,
we also have to upgrade the example application's Angular versions:

- Upgraded Artillery from v1.7.1 to v1.7.9

Depends on hyperledger-cacti#2229

Fixes hyperledger-cacti#2228

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
bug Something isn't working dependencies Pull requests that update a dependency file dependent P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(security): the CVE-2022-2421 - upgrade socket.io-parser to >=4.2.1 petermetz/cacti
1 participant
@petermetz