search

TimelordUK / node-sqlserver-v8

branched from node-sqlserver, SQL server driver compatible with all versions of Node
Other
135 stars 43 forks source link

Security vulnerability detected in latest #316

Closed AvvariSreedhar closed 7 months ago

AvvariSreedhar commented 7 months ago

Hello In the latest version(4.1.2), 2 CVEs were reported related to dependency on semver and minimist, more details added below.


- minimist - 1.2.5
- CVE-2021-44906
- CVSS Score: 9.8
- Fixed by version: 1.2.6
- CVE Link: [here](https://nvd.nist.gov/vuln/detail/CVE-2021-44906)
- Severity: CRITICAL_VULNERABILITY_SEVERITY

- semver - 7.3.8
- CVE-2022-25883
- CVSS Score: 7.5
- Fixed by version: 7.5.2
- CVE Link: [here](https://nvd.nist.gov/vuln/detail/CVE-2022-25883)
- Severity: IMPORTANT_VULNERABILITY_SEVERITY
+-- msnodesqlv8@4.1.2
| +-- nan@2.18.0
| +-- node-abi@3.51.0
| | `-- semver@7.3.8
| |   `-- lru-cache@6.0.0 deduped
| `-- prebuild-install@7.1.1
|   +-- detect-libc@2.0.1
|   +-- expand-template@2.0.3
|   +-- github-from-package@0.0.0
|   +-- minimist@1.2.5
|   +-- mkdirp-classic@0.5.3
|   +-- napi-build-utils@1.0.2
|   +-- node-abi@3.51.0 deduped
|   +-- pump@3.0.0
|   | +-- end-of-stream@1.4.4
|   | | `-- once@1.4.0 deduped
|   | `-- once@1.4.0
|   |   `-- wrappy@1.0.2
|   +-- rc@1.2.8
|   | +-- deep-extend@0.6.0
|   | +-- ini@1.3.8
|   | +-- minimist@1.2.5 deduped
|   | `-- strip-json-comments@2.0.1
|   +-- simple-get@4.0.1
|   | +-- decompress-response@6.0.0
|   | | `-- mimic-response@3.1.0
|   | +-- once@1.4.0 deduped
|   | `-- simple-concat@1.0.1
|   +-- tar-fs@2.1.1
|   | +-- chownr@1.1.4
|   | +-- mkdirp-classic@0.5.3 deduped
|   | +-- pump@3.0.0 deduped
|   | `-- tar-stream@2.2.0
|   |   +-- bl@4.1.0
|   |   | +-- buffer@5.7.1
|   |   | | +-- base64-js@1.3.1 deduped
|   |   | | `-- ieee754@1.1.13 deduped
|   |   | +-- inherits@2.0.4 deduped
|   |   | `-- readable-stream@3.6.1 deduped
|   |   +-- end-of-stream@1.4.4 deduped
|   |   +-- fs-constants@1.0.0
|   |   +-- inherits@2.0.4 deduped
|   |   `-- readable-stream@3.6.1
|   |     +-- inherits@2.0.4 deduped
|   |     +-- string_decoder@1.1.1 deduped
|   |     `-- util-deprecate@1.0.2 deduped
|   `-- tunnel-agent@0.6.0 deduped

Can you please take a look and let us know on how to remedy the reported CVEs (CVE-2021-44906, CVE-2022-25883)

TimelordUK commented 7 months ago

node abi can probably be removed from msnodesqlv8 as it’s included by prebuild -install. Even then the vulnerability will still be there even when we remove from msnodesqlv8