Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): upgrade to yarn > 1.22.0 - CVE-2019-10773, CVE-2020-8131 #1922

Closed
petermetz opened this issue Mar 14, 2022 · 0 comments · Fixed by #1923
Closed

fix(security): upgrade to yarn > 1.22.0 - CVE-2019-10773, CVE-2020-8131 #1922

petermetz opened this issue Mar 14, 2022 · 0 comments · Fixed by #1923
Assignees
@petermetz
Labels
dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

trivy image --severity=HIGH,CRITICAL ghcr.io/hyperledger/cactus-cmd-api-server:2022-03-14-ef0981d

+-----------+------------------+ +-------------------+-----------------------------+---------------------------------------+
| yarn | CVE-2019-10773 | | 1.18.0 | 1.22.0 | nodejs-yarn: Install |
| | | | | | functionality can be abused |
| | | | | | to generate arbitrary symlinks |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-10773 |

  •       +------------------+          +                   +                             +---------------------------------------+

| | CVE-2020-8131 | | | | yarn: Arbitrary filesystem |
| | | | | | write via tar expansion |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8131 |
+-----------+------------------+----------+-------------------+-----------------------------+---------------------------------------+
@petermetz petermetz added dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities labels Mar 14, 2022
@petermetz petermetz self-assigned this Mar 14, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Mar 14, 2022
@petermetz
fix(security): upgrade to yarn > 1.22.0 - CVE-2019-10773, CVE-2020-8131
15f2955 
Fixes hyperledger-cacti#1922

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz mentioned this issue Mar 14, 2022
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Mar 15, 2022
@petermetz
fix(security): upgrade to yarn > 1.22.0 - CVE-2019-10773, CVE-2020-8131
95f535f 
Fixes hyperledger-cacti#1922

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Mar 15, 2022
@petermetz
fix(security): upgrade to yarn > 1.22.0 - CVE-2019-10773, CVE-2020-8131
43d591d 
Fixes #1922

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(security): upgrade to yarn > 1.22.0 - CVE-2019-10773, CVE-2020-8131 petermetz/cacti
1 participant
@petermetz