Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cmd-api-server): fix CVE-2023-36665 protobufjs Prototype Pollution vuln. #2682

Closed
petermetz opened this issue Sep 11, 2023 · 1 comment · Fixed by #2683 or #2789
Closed

fix(cmd-api-server): fix CVE-2023-36665 protobufjs Prototype Pollution vuln. #2682

petermetz opened this issue Sep 11, 2023 · 1 comment · Fixed by #2683 or #2789
Assignees
@petermetz
Labels
API_Server bug Something isn't working dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation good-first-issue Good for newcomers good-first-issue-200-intermediate Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Milestone
v2.0.0

Comments

@petermetz
Copy link
Member

Description

CVE ID: CVE-2023-36665
GHSA ID: GHSA-h755-8qp9-cq85

GHSA-h755-8qp9-cq85

https://github.com/hyperledger/cacti/security/dependabot/721
@petermetz petermetz added bug Something isn't working documentation Improvements or additions to documentation good-first-issue Good for newcomers API_Server dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. good-first-issue-200-intermediate P1 Priority 1: Highest labels Sep 11, 2023
@petermetz petermetz added this to the v2.0.0 milestone Sep 11, 2023
@petermetz petermetz self-assigned this Sep 11, 2023
petermetz added a commit to petermetz/cacti that referenced this issue Sep 11, 2023
@petermetz
fix(cmd-api-server): fix CVE-2023-36665 protobufjs Prototype Pollutio…
a649782 
…n vuln

Upgraded all imports of protobufjs to non-vulnerable
versions (v7.2.5)

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Sep 11, 2023
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Sep 17, 2023
@petermetz
fix(cmd-api-server): fix CVE-2023-36665 protobufjs Prototype Pollutio…
2e8d9ca 
…n vuln

Upgraded all imports of protobufjs to non-vulnerable
versions (v7.2.5)

[skip-ci]

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Sep 17, 2023
@petermetz
fix(cmd-api-server): fix CVE-2023-36665 protobufjs Prototype Pollutio…
7bb3957 
…n vuln

Upgraded all imports of protobufjs to non-vulnerable
versions (v7.2.5)

[skip-ci]

Fixes #2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz reopened this Oct 13, 2023
@petermetz
Copy link
Member Author

Re-opening because in another recent change the vulnerable versions crept back in. ;/

petermetz added a commit to petermetz/cacti that referenced this issue Oct 13, 2023
@petermetz
fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2
ef49b40 
1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10
2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1
3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1

This is the second try at fixing this issue. For some reason the first
PR didn't get it done. The most likely reason is that other commits
in the meantime added back the vulnerable versions of the packages, but
I'm not a 100% sure.

[skip ci]

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Oct 13, 2023
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Oct 18, 2023
@petermetz
fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2
19df677 
1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10
2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1
3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1

This is the second try at fixing this issue. While it was in review
other commits already snuck back in more older versions of the vulnerable
dependency so before merging this I also add a resolution in the root
package.json file to ensure that the vulnerable version is not used
at all regardless of it being a dependency of a dependency.

[skip ci]

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Oct 18, 2023
@petermetz
fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2
4e8b553 
1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10
2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1
3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1

This is the second try at fixing this issue. While it was in review
other commits already snuck back in more older versions of the vulnerable
dependency so before merging this I also add a resolution in the root
package.json file to ensure that the vulnerable version is not used
at all regardless of it being a dependency of a dependency.

[skip ci]

Fixes #2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Yogesh01000100 pushed a commit to Yogesh01000100/cacti that referenced this issue Oct 18, 2023
@petermetz @Yogesh01000100
fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2
5f43c29 
1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10
2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1
3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1

This is the second try at fixing this issue. While it was in review
other commits already snuck back in more older versions of the vulnerable
dependency so before merging this I also add a resolution in the root
package.json file to ensure that the vulnerable version is not used
at all regardless of it being a dependency of a dependency.

[skip ci]

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this issue Dec 21, 2023
@petermetz @sandeepnRES
fix(cmd-api-server): fix CVE-2023-36665 protobufjs Prototype Pollutio…
58b7864 
…n vuln

Upgraded all imports of protobufjs to non-vulnerable
versions (v7.2.5)

[skip-ci]

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this issue Dec 21, 2023
@petermetz @sandeepnRES
fix(cmd-api-server): fix CVE-2023-36665 protobufjs try 2
3e2cdfa 
1. Upgraded fabric-network from 2.2.10 to 2.2.18 wherever it was still 2.2.10
2. Upgraded ipfs-http-client project-wide from 51.0.1 to 60.0.1
3. Upgraded @google-cloud/secret-manager from 3.9.0 to 5.0.1

This is the second try at fixing this issue. While it was in review
other commits already snuck back in more older versions of the vulnerable
dependency so before merging this I also add a resolution in the root
package.json file to ensure that the vulnerable version is not used
at all regardless of it being a dependency of a dependency.

[skip ci]

Fixes hyperledger#2682

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
API_Server bug Something isn't working dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation good-first-issue Good for newcomers good-first-issue-200-intermediate Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
v2.0.0
1 participant
@petermetz