oklemenz2
commented
3 months ago The vulnerability is disputed (see here: https://nvd.nist.gov/vuln/detail/CVE-2022-27140).
NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API"
Personally, I also think that the vulnerability is not valid, and other experts do as well:
- https://github.com/richardgirges/express-fileupload/issues/329#issuecomment-1387288644
- https://github.com/richardgirges/express-fileupload/issues/312#issuecomment-1134912967
The referenced YouTube video, does not show a real vulnerability, but an intentional misuse.
CDS OData V2 Adapter always uses the latest version of express-fileupload. If the maintainers of express-fileupload provided some security fixes, users of CDS OData V2 Adapter automatically will benefit from it, when updating the package lock. From CDS OData V2 Adapter perspective I see no need for action here. So I would recommend to ignore this vulnerability, as it is disputed.
Hi,
In the security scan, a critical vulnerability CVE-2022-27140 for express-fileupload was reported which is one of the internal dependency of @cap-js-community/odata-v2-adapter with below description:
An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).
NOTE: We are using the latest version(1.5.0) of this dependency. Can you please help to remediate this vulnerability in this dependency ?
Many Thanks.
Regards, Juhi Jadav