Aws-amplify@5.3.19 has Apache HTTP Server 2.0 vulnerabilities CVE-2004-1834, CVE-2005-3357 and CVE-2005-2728

[sb-wong]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v5

Amplify Categories

auth

Backend

None

Environment information

``` System: OS: macOS 13.3 CPU: (8) arm64 Apple M1 Memory: 50.80 MB / 8.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 16.13.0 - ~/.nvm/versions/node/v16.13.0/bin/node Yarn: 1.22.19 - ~/.nvm/versions/node/v16.13.0/bin/yarn npm: 8.1.0 - ~/.nvm/versions/node/v16.13.0/bin/npm Watchman: 2024.05.06.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 126.0.6478.127 Edge: 126.0.2592.87 Safari: 16.4 npmPackages: @emotion/react: ^11.11.3 => 11.11.3 @emotion/styled: ^11.11.0 => 11.11.0 @hookform/resolvers: ^3.3.4 => 3.3.4 @hookform/resolvers/ajv: 1.0.0 @hookform/resolvers/arktype: 1.0.0 @hookform/resolvers/class-validator: 1.0.0 @hookform/resolvers/computed-types: 1.0.0 @hookform/resolvers/io-ts: 1.0.0 @hookform/resolvers/joi: 1.0.0 @hookform/resolvers/nope: 1.0.0 @hookform/resolvers/superstruct: 1.0.0 @hookform/resolvers/typanion: 1.0.0 @hookform/resolvers/typebox: 1.0.0 @hookform/resolvers/valibot: 1.0.0 @hookform/resolvers/vest: 1.0.0 @hookform/resolvers/yup: 1.0.0 @hookform/resolvers/zod: 1.0.0 @mui/icons-material: ^5.15.3 => 5.15.3 @mui/lab: ^5.0.0-alpha.159 => 5.0.0-alpha.159 @mui/material: ^5.15.3 => 5.15.3 @mui/x-data-grid: ^6.18.7 => 6.18.7 @mui/x-date-pickers: ^6.18.7 => 6.18.7 @tanstack/react-query: ^4.36.1 => 4.36.1 @types/react: ^18.2.43 => 18.2.47 @types/react-dom: ^18.2.17 => 18.2.18 @typescript-eslint/eslint-plugin: ^6.14.0 => 6.18.1 @typescript-eslint/parser: ^6.14.0 => 6.18.1 @vitejs/plugin-react: ^4.2.1 => 4.2.1 aws-amplify: ^5.2.1 => 5.3.19 axios: ^1.6.7 => 1.6.7 copy-to-clipboard: ^3.3.3 => 3.3.3 dayjs: ^1.11.10 => 1.11.10 eslint: ^8.55.0 => 8.56.0 eslint-plugin-react-hooks: ^4.6.0 => 4.6.0 eslint-plugin-react-refresh: ^0.4.5 => 0.4.5 jwt-decode: ^4.0.0 => 4.0.0 lodash: ^4.17.21 => 4.17.21 qrcode.react: ^3.1.0 => 3.1.0 react: ^18.2.0 => 18.2.0 react-dom: ^18.2.0 => 18.2.0 react-dropzone: ^14.2.3 => 14.2.3 react-hook-form: ^7.49.3 => 7.49.3 react-router-dom: ^6.21.1 => 6.21.1 sass: ^1.69.7 => 1.69.7 typescript: ^5.2.2 => 5.3.3 uuid: ^9.0.1 => 9.0.1 (3.4.0, 8.3.2) vite: ^5.0.0 => 5.0.11 zod: ^3.22.4 => 3.22.4 npmGlobalPackages: corepack: 0.10.0 http-server: 14.1.1 npm: 8.1.0 sass: 1.69.7 tsc: 2.0.4 typescript: 5.2.2 vite: 5.0.11 wscat: 5.2.0 yarn: 1.22.19 ```

Describe the bug

We were using the aws-amplify@5.3.19 package contains the following vulnerabilities due to using an outdated apache version (versions 2.0.54 or lower).

• CVE-2004-1834
• CVE-2005-3357
• CVE-2005-2728

These issues were found in a web application penetration testing in our application.

Currently we are in the process of upgrading the aws-amplify package to the latest version aws-amplify@6.3.8, but we would like a confirmation if this new aws-amplify package version is still using the older version of apache and will it still contain the same vulnerabilities as mentioned?

Expected behavior

no security issues

Reproduction steps

1. npm install aws-amplify@5.3.19

Code Snippet

no code snippet applicable.

Log output

no log outputs applicable.

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[ashwinkumar6]

Hello @sb-wong . Thank you for reporting this.

From what I can gather, the vulnerabilities linked have to do with https://httpd.apache.org/. The Amplify library should not be prescribing the server technology even in version 5 as it is a front end library. Could you please confirm how this CVE was detected? When installing aws-amplify@5.3.19 locally, we are able to confirm they do not show up in npm audit.

[cwomack]

@sb-wong, wanted to ping you again to see if you had a chance to review the above comment and if you had a chance to verify if the CVE and findings are being caused by Amplify. Thank you!

[sb-wong]

Hello, I apologies for the late response. I’ve looked into the issue and confirmed that npm audit does not any vulnerabilities. But this vulnerability was reported from a Vulnerability Assessment and Penetration Testing (VAPT) from our react web application. The vulnerability was detected from the web build js file, https://example-web-domain/assets/index-Q4ia-Rr9.js. It seems to be found from several comments in the compiled js code in the build js file.

Currently I would like to confirm if the apache version mentioned in this commend does not reflect the apache or any such software libraries used in the npm package?

[ashwinkumar6]

Hi @sb-wong Yes, the comment linked in the image below refers to the Apache-2.0 license (similar to MIT license) and does not reflect any Apache software libraries being used

[sb-wong]

Hello @ashwinkumar6, thank you for the response. So can we conclude that the results from our VAPT is just a misunderstanding of the Apache-2.0 license that was mistaken for the Apache HTTP server software library?

[ashwinkumar6]

Hi @sb-wong, Yes, that's right. Amplify JS does not have a dependency on Apache HTTP server. Is it the possible that the web app that was penTested runs a Apache HTTP server somewhere that might be causing these CVE

[cwomack]

@sb-wong, closing this issue out because it seems we've got the clarity needed and questions answered. If there's anything else, feel free to comment back and let us know. Thank you!

[sb-wong]

Hello apologies for the late reply. I am here to confirm that we were able to resolve our issues with our VAPT scans with the answers provided. We were able to pass the pen test with the proven information that no out dated Apache software library was used. Thank you @ashwinkumar6 and @cwomack for the support on this ticket.