Closed sb-wong closed 2 weeks ago
Hello @sb-wong . Thank you for reporting this.
From what I can gather, the vulnerabilities linked have to do with https://httpd.apache.org/. The Amplify library should not be prescribing the server technology even in version 5 as it is a front end library. Could you please confirm how this CVE was detected? When installing aws-amplify@5.3.19
locally, we are able to confirm they do not show up in npm audit.
@sb-wong, wanted to ping you again to see if you had a chance to review the above comment and if you had a chance to verify if the CVE and findings are being caused by Amplify. Thank you!
Hello, I apologies for the late response. I’ve looked into the issue and confirmed that npm audit does not any vulnerabilities. But this vulnerability was reported from a Vulnerability Assessment and Penetration Testing (VAPT) from our react web application. The vulnerability was detected from the web build js file, https://example-web-domain/assets/index-Q4ia-Rr9.js
. It seems to be found from several comments in the compiled js code in the build js file.
Currently I would like to confirm if the apache version mentioned in this commend does not reflect the apache or any such software libraries used in the npm package?
Hi @sb-wong Yes, the comment linked in the image below refers to the Apache-2.0 license (similar to MIT license) and does not reflect any Apache software libraries being used
Hello @ashwinkumar6, thank you for the response. So can we conclude that the results from our VAPT is just a misunderstanding of the Apache-2.0 license that was mistaken for the Apache HTTP server software library?
Hi @sb-wong, Yes, that's right. Amplify JS does not have a dependency on Apache HTTP server. Is it the possible that the web app that was penTested runs a Apache HTTP server somewhere that might be causing these CVE
@sb-wong, closing this issue out because it seems we've got the clarity needed and questions answered. If there's anything else, feel free to comment back and let us know. Thank you!
Hello apologies for the late reply. I am here to confirm that we were able to resolve our issues with our VAPT scans with the answers provided. We were able to pass the pen test with the proven information that no out dated Apache software library was used. Thank you @ashwinkumar6 and @cwomack for the support on this ticket.
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
Authentication
Amplify Version
v5
Amplify Categories
auth
Backend
None
Environment information
Describe the bug
We were using the
aws-amplify@5.3.19
package contains the following vulnerabilities due to using an outdated apache version (versions 2.0.54 or lower).These issues were found in a web application penetration testing in our application.
Currently we are in the process of upgrading the aws-amplify package to the latest version
aws-amplify@6.3.8
, but we would like a confirmation if this new aws-amplify package version is still using the older version of apache and will it still contain the same vulnerabilities as mentioned?Expected behavior
no security issues
Reproduction steps
aws-amplify@5.3.19
Code Snippet
no code snippet applicable.
Log output
no log outputs applicable.
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response