-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
marked dependency is insecure version #1489
Comments
Pretty sure this commit: markedjs/marked@cb72584 Handles the XSS vulnerability mentioned here: https://nvd.nist.gov/vuln/detail/CVE-2017-17461 Issue here: jsdoc#1489
Running into same issue, can a new jsdoc be released with a |
The same issue here. |
Hearing the Github announcement of security vulnerability notifications, I've already wondered what it will be if a commonly used dependency of a commonly used dependency has a security problem... here we are, with possibly thousands of projects affected! 😄 |
A temporary solution can be to add an explicit dependency to marked ~0.3.9 on dependent projects. With Yarn and reasonably recent versions of NPM, a single version of marked will be used and will actually be 0.3.9, which works around the problem. |
In jsdoc, marked dependency is insecure version (0.3.6) A issue propose a temporary solution: to add an explicit dependency to marked ~0.3.9 jsdoc/jsdoc#1489 (comment)
In jsdoc, marked dependency is insecure version (0.3.6) A issue propose a temporary solution: to add an explicit dependency to marked ~0.3.9 jsdoc/jsdoc#1489 (comment)
In jsdoc, marked dependency is insecure version (0.3.6) A issue propose a temporary solution: to add an explicit dependency to marked ~0.3.9 jsdoc/jsdoc#1489 (comment)
The version is set to "~0.3.9" Fixes jsdoc#1489
The version is set to "~0.3.9" Fixes jsdoc#1489
workaround The security issue is jsdoc/jsdoc#1489
…rkaround The security issue is jsdoc/jsdoc#1489 The manually added dependency is to force to use the secure version before jsdoc released its secure version.
…rkaround The security issue is jsdoc/jsdoc#1489 The manually added dependency is to force to use the secure version before jsdoc released its secure version. (cherry picked from commit d1fbeae)
solve security vulnerabilities. We need to wait for jsdoc/jsdoc#1489
ping @hegemonic, can a maintainer please take a look at this trivial issue that has big implications? |
3.5.5 still points to a version of marked < 0.3.9. Even if a new version was pushed here with a fix, it wasn't published to npm. Can new version please be published? |
Its been 30 days, no devs respond, is this project dead, devs do not care or both? |
Man, they really need to get with the program over there. JSDoc is dead to me. Ref: jsdoc/jsdoc#1489
Marked is a dependency of jsdoc. Added marked as a dev dependency to be able to update it to latest version. This is just a temporary fix until jsdoc/jsdoc#1489 has been released. Idea from jsdoc/jsdoc#1489 (comment) Related to #22 https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
Does it really have big implications? It seems to me there are zero security implications here. Unless you think a hacker, having already compromised a server to a sufficient degree to launch a process, would be firing up a shell looking for command-line tools to exploit. If a villain already hacked his way into a server, why would he be searching for exploits in a command-line tool (like jsdoc), looking for ways to run malicious code? He already compromised the box and can run whatever code he likes. |
@75lb this isn't about command line tools. It would be enough for someone to contribute seemingly proper code to a Github project but include a hidden base64 URI somewhere. If that stays unnoticed and the PR is merged in, the next time JSDoc is used to generate the docs, it will include the malicious code. Et voilà, there you have it: Public documentation of a possibly big open source project, compromising all visitors. |
@Radiergummi So hackers are now successfully submitting malicious code as PR requests? Knowing the maintainer of the project is an experienced guy, I can't say I'm too worried about that risk, personally. Anyway, this project has a dependency on |
@75lb People who have installed jsdoc earlier with I'm not sure that's the best image for jsdoc, especially given that the only thing to do is to bump the marked version in |
Any update on this? The issue seems to be still present. |
https://nvd.nist.gov/vuln/detail/CVE-2017-17461
https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
Suggested update
marked ~> 0.3.9
.The text was updated successfully, but these errors were encountered: