Closed jhtann closed 5 months ago
benzino77
commented
6 months ago Hi,
Based on the CVE links you provided v1.4.0 version of express-fileupload is not vulnerable.
Based on the Issue links you provided it is also indicated that the vulnerability is "questionable":
CVE-2022-27140 is marked as "disputed".
jhtann
commented
6 months ago yea, is there any plan to upgrade the version express-fileupload to 1.5.0, even the "disputed" cve existed in latest version 🤔
benzino77
commented
6 months ago Will take a look at that after my vacations.
benzino77
commented
6 months ago Looks like v1.5.0 brings some "unexpected" breaking changes. For now I've upgraded express-fileupload package to v1.4.3 and push new docker image to repository.
When I have more time, I will try to investigate why clamav-rest-api is not working as expected with version v1.5.0.
jhtann
commented
6 months ago thanks @benzino77 for the update and finding 👍
benzino77
commented
5 months ago I have updated express-fileupload to v1.5.0 and pushed new docker image version.
Currently, at the latest master e107592, I've observed that express-fileupload using version 1.4.0, which exposes vulnerabilities CVE-2022-27140 (critical) and CVE-2022-27261 (high).
Despite upgrading to version 1.5.0, both vulnerabilities persist in the Express-fileupload library.
Details:
CVE-2022-27140 (CRITICAL): being disputed in the NIST database CVE-2022-27261 (HIGH): still open, might pose a risk for file overwrite
Previous Discussions:
Issue #312: Link Issue #316: Link
Do we assess the risks associated with these vulnerabilities, given that we are using express-fileupload: 1.4.0?