Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[V3] Fix CVE-2022-0764 #12879

Closed
timyboy12345 opened this issue Mar 17, 2022 · 2 comments
Closed

[V3] Fix CVE-2022-0764 #12879

timyboy12345 opened this issue Mar 17, 2022 · 2 comments
Assignees
Labels
good first issue Good for newcomers issue: bug Issue reporting a bug issue: security Issue reporting a security problem severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve source: core:strapi Source is core/strapi package status: confirmed Confirmed by a Strapi Team member or multiple community members

Comments

@timyboy12345
Copy link

Bug report

Describe the bug

There is a security vulnerability in Strapi that prevents our deployment pipeline from running. There is already a fix implemented for v4.x, but upgrading is not on our short-term road map for now. It seems like the fix from v4 can be copied to v3 1 on 1, but since I've never contributed to this repository I was hoping there was someone willing to back-port the fix to v3.

Other information

@derrickmehaffy derrickmehaffy added issue: bug Issue reporting a bug severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve good first issue Good for newcomers status: confirmed Confirmed by a Strapi Team member or multiple community members issue: security Issue reporting a security problem source: core:strapi Source is core/strapi package labels Mar 21, 2022
@derrickmehaffy derrickmehaffy added this to To be reviewed (Open) in Developer Experience - Old via automation Mar 21, 2022
@derrickmehaffy derrickmehaffy removed this from To be reviewed (Open) in Developer Experience - Old Mar 21, 2022
@markkaylor markkaylor self-assigned this Mar 21, 2022
@markkaylor
Copy link
Contributor

Hi @timyboy12345 sorry I am not able to reproduce the issue described on huntr for Strapi version 3.x.

The security issue was introduced in v4.0.0 when we changed how we create projects with starters and templates via the CLI and fixed in v4.1.1. I believe it only exists between these versions.

Please let me know if I’ve missed something and I will fix it ASAP.

@timyboy12345
Copy link
Author

I see. The record in the NVD states that all versions before 4.1.0 were impacted, including v3.x.x, meaning it gets flagged in yarn audit.

I've created a ticket with NIST asking them to change this, hopefully resulting in versions greater than 4.0.0-alpha.2 and smaller than 4.1.0 being flagged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers issue: bug Issue reporting a bug issue: security Issue reporting a security problem severity: low If the issue only affects a very niche base of users and an easily implemented workaround can solve source: core:strapi Source is core/strapi package status: confirmed Confirmed by a Strapi Team member or multiple community members
Projects
Status: Fixed/Shipped
Development

No branches or pull requests

3 participants