search

carbon-design-system / carbon-charts

:bar_chart: :chart_with_upwards_trend:⠀Robust dataviz framework implemented using D3 & typescript
https://charts.carbondesignsystem.com
Apache License 2.0
904 stars 184 forks source link

PSIRT vulnerability for glob-parent #1331

Closed PAnilReddy closed 2 years ago

PAnilReddy commented 2 years ago

Contact Details

apatloll@in.ibm.com

What happened?

per the PSIRT, we need to move to glob-parent (6.0.1 or later), We are on the cloudpal version: @console/pal@1.454.1

Summary: Node.js glob-parent module denial of service CVE-2021-35065

Details: globparent-cve202135065-dos (208298) - reported on 2021-06-24 (Format: yyyy-mm-dd)

Node.js glob-parent module is vulnerable to a denial of service, caused by an error in the enclosure regex. By sending a specially crafted string prepended with the letter A , a remote attacker could exploit this vulnerability to cause a regular expression denial of service.

Consequences: Denial of Service

Remedy: Upgrade to the latest version of glob-parent module (6.0.1 or later), available from the NPM Web site. See References.

X-Force Record: https://exchange.xforce.ibmcloud.com/vulnerabilities/208298

Attention: If the CVE is excluded from OWASP scanning, make sure to include it back, while remediating corresponding PSIRT. Acknowledge with appropriate comment before closing the PSIRT.

As per this https://www.cybersecurity-help.cz/vdb/SB2021072101 5.1.2 is impacted. So we need a fix for this.

https://www.cybersecurity-help.cz/vdb/SB2021072101

Version

@carbon/charts@0.54.12

Data & options used

No response

Relevant log output

https://www.cybersecurity-help.cz/vdb/SB2021072101

image

Codesandbox example

No response

PAnilReddy commented 2 years ago

Any updates on this. Its a vulnerability and needs immediate attention

theiliad commented 2 years ago

Hi, you seem to have an outdated version. A day before the creation of this issue we pushed a release that updates @carbon/telemetry to 0.0.1 which AFAIK should address this.

If that's not the case, pls feel free to open with new comments 🙂

PAnilReddy commented 2 years ago

@theiliad , I see the latest release was made 8 days ago and its v0.55.1. And I did install the latest and still see the vulnerability package(glob-parent@5.1.2) as part of it. Basically I dont see the @carbon/telemetry to 0.0.1 image

Can you let me know in which version its fixed?

theiliad commented 2 years ago

This seems like an issue inside carbon-components

PAnilReddy commented 2 years ago

@theiliad , can you confirm if this will be fixed as part of the issue.. or should I have to raise one against carbon-components

theiliad commented 2 years ago

@theiliad , can you confirm if this will be fixed as part of the issue.. or should I have to raise one against carbon-components

This is the carbon-charts repo.

As far as @jdharvey-ibm has told us there's a PR (https://github.com/carbon-design-system/carbon/pull/10982/files#diff-2c76dc06185f93bec73660e15338433b95eac6707317564c0f778f5b9abe446c) that's updated these deps, and there will be a release soon.

@jdharvey-ibm could you pls let us know when this comes out so that we can update?

jharvey10 commented 2 years ago

I'm not actively tracking the releases from the carbon monorepo, but @joshblack or @tay1orjones could potentially keep you in the loop. Also, @PAnilReddy if you have Dependabot or Renovate hooked up in your repo, it should automatically open PRs for you the next time it updates your project dependencies.

tay1orjones commented 2 years ago

Hey just want to close the loop here - the version of @carbon/telemetry was updated in v10.56.0.

https://github.com/carbon-design-system/carbon/blob/v10.56.0/packages/components/package.json#L66