Closed wnm3 closed 1 year ago
cspotcode
commented
1 year ago This affects users of the latest aws-sdk v2, since it directly depends on xml2js. https://www.npmjs.com/package/aws-sdk?activeTab=dependencies
xml2js was most recently published in 2019, but the most recent code changes were merged in 2020, docs changes merged more recently than that. https://www.npmjs.com/package/xml2js?activeTab=versions https://github.com/Leonidas-from-XIV/node-xml2js/commits/master
Fotiman
commented
1 year ago This provides a great example for reproducing the vulnerability: https://fluidattacks.com/advisories/myers/
cspotcode
commented
1 year ago That report says that on 2023-02-14 "Vendor replied acknowledging the report" but I'm not sure if that means a fix is planned or not.
dmattia
commented
1 year ago Github's advisory lists this as high severity: https://github.com/advisories/GHSA-776f-qx25-q3cc
tambor81
commented
1 year ago we found this CVE-2023-0842 reported as HIGH in our daily build breaking for this library (our build breaks only for High and critical), it shouldn't be high!, because it depends on protractor (for e2e tests or unit tests) which is EOL, webdriver and other deprecated libraries
Protractor is EOL and will be removed from @angular-devkit/build-angular on Angular 16...,
is anybody fixing this?
matthewmayer
commented
1 year ago Obligatory XKCD
Arisamiga
commented
1 year ago There has been a Pull Request open https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 that is a fix for this vulnerability sense 2021
OIRNOIR
commented
1 year ago I wish there was a facepalm reaction. We could have fixed the vulnerability a long time ago.
yuameshi
commented
1 year ago any updates? expo is affacted too
Leonidas-from-XIV
commented
1 year ago I've merged #603 and published xml2js 0.5.0 to NPM. Also updated some dependency versions on the way, but need to look into this closer why requests is part of the dependency cone to start with.
wnm3
commented
1 year ago Thank you -- I'd had to switch from request to got
matthewmayer
commented
1 year ago could you push a 0.5.0 tag to Github https://github.com/Leonidas-from-XIV/node-xml2js/tags ?
Leonidas-from-XIV
commented
1 year ago Yes, I will when I'm back home.
Leonidas-from-XIV
commented
1 year ago Pushed the tag.
scott-korin
commented
1 year ago This affects users of the latest aws-sdk v2, since it directly depends on xml2js.
FYI, it's probably a good idea to upgrade to aws-sdk 3, since v2 will be going into maintenance mode this year. And yeah, I know how big of a PITA that might be.
Today we started getting notifications for xml2js libraries having a medium vulnerability. I'd been using an older version 0.4.19 so forced updates to the latest 0.4.23 but the vulnerability remains with the current version. I know these are often debated whether they represent real problems, but if there is a fix you could issue that would be great. Thanks in advance for your help.
The problem reported by our monitoring system (whitesource/Mend) provided this detail: xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
It seems the fix is to disallow keys for proto from XML content to be added in the js object...
NIST just shows this as awaiting analysis: https://nvd.nist.gov/vuln/detail/CVE-2023-0842