Open areyes05 opened 3 years ago
vjangari
commented
3 years ago protractor using selenium-webdriver as peer dependecy. selenium-webdriver using jquery.1.4.4 version internally, which has many vulnerabilities. Can you please fix this ASAP . I am using "protractor": "~7.0.0" with angular 11.0.1 version
vulnerabilities reported on jquery 1.4.x version https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708
Krithikmano
commented
3 years ago I scanned protractor 7.0.0 version in nexus IQ and it showing selenium-webdriver 3.6.0 vulnerability. Refer the screenshot below. Protractor 7.0.0 should be updated with latest selenium-webdriver version
Splaktar
commented
3 years ago This depends on the work in progress in PR https://github.com/angular/protractor/pull/5516.
evilaliv3
commented
3 years ago At @GlobaLeaks we have same concern and we would like to offer our support in the retesting if this could help getting soon a version with up-to-date and safe dependency versions. thank you if you could look at this.
Vulnerability Report
A scan using the OWASP dependency-check reveals that Protractor uses an outdated version of selenium-webdriver which has several vulnerabilities that were patched on release 4.0.0-alpha.7.
https://nvd.nist.gov/vuln/detail/CVE-2020-11022 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6708 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023
Could it be possible to update this dependency so that Protractor will not be vulnerable?
I also recommend adding a security policy on GitHub so that the contributors can get a chance to address this issues before making it public. It might also be worth considering to add the dependency-checker to the pipeline.
Thanks
AR