Smartsheet Javascript SDK Includes Vulnerable Node.js Version 2.88.1 (CVE-2023-28155) #30
Comments
|
On a quick look at this, we should fully move off of request as it is deprecated since Feb 2020 and no longer accepting changes, including a patch for this very same vulnerability. |
|
Marking this issue complete. |
|
Re-opening this issue as the initial change to replace |
|
Marking as complete again. Version 4.0.1 now addresses this issue by replacing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
=== Description ===
CVE-2023-28155 (https://nvd.nist.gov/vuln/detail/CVE-2023-28155) was discovered via Node Package Manager which manages Open Source dependencies like the Smartsheet NodeJS SDK.
=== Steps to Repro ===
Node Package Manager has an audit tool that cross references any open source dependencies, and their own nested open source dependencies, against the National Vulnerability Database. This audit tool found that the Smartsheet NodeJS SDK depends on a vulnerable version of request.
=== Severity ===
Low, due within 180 days
=== Remediation ===
https://github.com/smartsheet/smartsheet-javascript-sdk/blob/mainline/package.json
=== Addt'l Info ===
Reach out to #askus-prodsec for assist
The text was updated successfully, but these errors were encountered: