Address CVE-2020-7690

[ikornienko]

Sorry if it's a duplicate, wasn't able to find anything related to CVE-2020-7690 among issues and PRs.

Unfortunately, I don't have all the details about this vulnerability, besides knowing that it's being identified by vuln scanners that discover jspdf as a dependency.

Does anyone have more insights into the issue? What are the plans to address it?

[ikornienko]

I must be turning blind... see #2795 now.

[HackbrettXXX]

@ikornienko do you happen to know how we can tell the site that this vulnerability was fixed with 2.0.0?

[ikornienko]

I'm not quite sure NVD specifies this kind of data about when the issue was fixed. But let me double check and come back to you.

I did see that in Snyk Vuln DB it specifies that the remediation is to upgrade to 2.0.0. So vuln scanners that rely on Snyk should correctly notify their users about the available fix.

[ikornienko]

@HackbrettXXX my awesome colleagues from StackRox helped to get the following info:

• NVD database shows in "Known Affected Software Configurations: cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:* and nothing more, which means that VersionEndIncluding isn't defined, and therefore they indeed don't know that the issue was fixed at some point.
• One can submit an update to the existing CVE Entry as described here. Probably makes sense for maintainers of jsPDF to do so.

[HackbrettXXX]

Thanks for the information. I submitted an update request.