Closed Joshua2Dobbs125 closed 2 years ago
Hi team,
Could you please suggest the next step on the resolution of issue?
Hi Joshua,
aws-lambda
does not enforce the aws-sdk
version, it is possible that your project
includes a package-lock.json
or npm-shrinkwrap.json
or depends on another npm
package that that enforces a specific aws-sdk version
as per package.json
"dependencies": {
"aws-sdk": "*",
"js-yaml": "^3.13.1",
"watchpack": "^2.0.0-beta.10",
"commander": "^3.0.2"
},
after npm install
$ npm list
└─┬ aws-lambda@1.0.6
├─┬ aws-sdk@2.1023.0
│ ├─┬ buffer@4.9.2
│ │ ├── base64-js@1.5.1
│ │ ├── ieee754@1.1.13 deduped
│ │ └── isarray@1.0.0
│ ├── events@1.1.1
│ ├── ieee754@1.1.13
│ ├── jmespath@0.15.0
│ ├── querystring@0.2.0
│ ├── sax@1.2.1
│ ├─┬ url@0.10.3
│ │ ├── punycode@1.3.2
│ │ └── querystring@0.2.0 deduped
│ ├── uuid@3.3.2
│ └─┬ xml2js@0.4.19
│ ├── sax@1.2.1 deduped
│ └── xmlbuilder@9.0.7
├── commander@3.0.2
├─┬ js-yaml@3.14.1
│ ├─┬ argparse@1.0.10
│ │ └── sprintf-js@1.0.3
│ └── esprima@4.0.1
└─┬ watchpack@2.2.0
├── glob-to-regexp@0.4.1
└── graceful-fs@4.2.8
Published aws-lambda@1.0.7
with aws-sdk@^2.814.0
Hi ,
We are observing an security issue with version of aws-lambda version 1.0.6 due the aws-sdk dependency referred.
Comments This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. if an attacker submits a malicious ini file to an application that parses it with loadsharedconfigfiles , they will pollute the prototype on the application. this can be exploited further depending on the context.
References: https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9 https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425 https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304