GitHub Security Alerts

[DawnmarieDesJardins]

Merging the Feb 2020 test/fix resulted in 3 GitHub security alerts (and 2 automatic PRs). Please review and advise.

Security Alert 1 - Moderate severity, corresponds with PR #30 - mongoose

mongoose
Open
GitHub opened this alert 9 minutes ago

Bump mongoose from 5.4.21 to 5.7.5 in /Hands-on lab/lab-files dependencies
#30 opened 9 minutes ago by dependabot bot

1 mongoose vulnerability found in …/lab-files/package-lock.json 9 minutes ago
Remediation
Upgrade mongoose to version 5.7.5 or later. For example:
"dependencies": {
"mongoose": ">=5.7.5"
}
or…
"devDependencies": {
"mongoose": ">=5.7.5"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2019-17426
moderate severity
Vulnerable versions: < 5.7.5
Patched version: 5.7.5
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Security alert 2 - serialize-JavaScript - moderate severity

serialize-javascript
Open
GitHub opened this alert 12 minutes ago
Dependabot cannot update to the required version
View details about this error or learn more about automated security updates.
1 serialize-javascript vulnerability found in …/lab-files/package-lock.json 12 minutes ago
Remediation
Upgrade serialize-javascript to version 2.1.1 or later. For example:
"dependencies": {
"serialize-javascript": ">=2.1.1"
}
or…
"devDependencies": {
"serialize-javascript": ">=2.1.1"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
GHSA-h9rv-jmmf-4pgx
moderate severity
Vulnerable versions: < 2.1.1
Patched version: 2.1.1
regular expressions Cross-Site Scripting (XSS) vulnerability
Impact
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions.
This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.
If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Patches
This was patched in v2.1.1.

Security Alert 3 - handlebars - High severity, corresponds with PR #31

handlebars
Open
GitHub opened this alert 14 minutes ago

Bump handlebars from 4.1.2 to 4.7.3 in /Hands-on lab/lab-files dependencies
#31 opened 13 minutes ago by dependabot bot

1 handlebars vulnerability found in …/lab-files/package-lock.json 14 minutes ago
Remediation
Upgrade handlebars to version 4.3.0 or later. For example:
"dependencies": {
"handlebars": ">=4.3.0"
}
or…
"devDependencies": {
"handlebars": ">=4.3.0"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2019-19919
high severity
Vulnerable versions: < 4.3.0
Patched version: 4.3.0
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

[kylebunting]

@DawnmarieDesJardins, these alerts can be ignored. They are generated by some of the libraries being used in the starter application for this HOL. As the application is only running for a short period of time and is not intended to be a production application, we can ignore these. The library versions will be updated to remove these alerts during the next update cycle for this HOL.

[DawnmarieDesJardins]

@kylebunting - Thanks Kyle! I've dismissed the security alerts and noted and closed the PRs.