Closed wnm3 closed 1 year ago
This affects users of the latest aws-sdk v2, since it directly depends on xml2js. https://www.npmjs.com/package/aws-sdk?activeTab=dependencies
xml2js was most recently published in 2019, but the most recent code changes were merged in 2020, docs changes merged more recently than that. https://www.npmjs.com/package/xml2js?activeTab=versions https://github.com/Leonidas-from-XIV/node-xml2js/commits/master
This provides a great example for reproducing the vulnerability: https://fluidattacks.com/advisories/myers/
That report says that on 2023-02-14 "Vendor replied acknowledging the report" but I'm not sure if that means a fix is planned or not.
Github's advisory lists this as high severity: https://github.com/advisories/GHSA-776f-qx25-q3cc
we found this CVE-2023-0842 reported as HIGH in our daily build breaking for this library (our build breaks only for High and critical), it shouldn't be high!, because it depends on protractor (for e2e tests or unit tests) which is EOL, webdriver and other deprecated libraries
Protractor is EOL and will be removed from @angular-devkit/build-angular on Angular 16...,
is anybody fixing this?
Obligatory XKCD
There has been a Pull Request open https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 that is a fix for this vulnerability sense 2021
I wish there was a facepalm reaction. We could have fixed the vulnerability a long time ago.
any updates? expo is affacted too
I've merged #603 and published xml2js 0.5.0 to NPM. Also updated some dependency versions on the way, but need to look into this closer why requests
is part of the dependency cone to start with.
Thank you -- I'd had to switch from request to got
could you push a 0.5.0 tag to Github https://github.com/Leonidas-from-XIV/node-xml2js/tags ?
Yes, I will when I'm back home.
Pushed the tag.
This affects users of the latest aws-sdk v2, since it directly depends on xml2js.
FYI, it's probably a good idea to upgrade to aws-sdk 3, since v2 will be going into maintenance mode this year. And yeah, I know how big of a PITA that might be.
Today we started getting notifications for xml2js libraries having a medium vulnerability. I'd been using an older version 0.4.19 so forced updates to the latest 0.4.23 but the vulnerability remains with the current version. I know these are often debated whether they represent real problems, but if there is a fix you could issue that would be great. Thanks in advance for your help.
The problem reported by our monitoring system (whitesource/Mend) provided this detail: xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
It seems the fix is to disallow keys for proto from XML content to be added in the js object...
NIST just shows this as awaiting analysis: https://nvd.nist.gov/vuln/detail/CVE-2023-0842