search

celo-org / social-connect

Protocol mapping social identifiers to blockchain addresses
https://socialconnect.xyz
Apache License 2.0
7 stars 7 forks source link

Update dependency protobufjs to v7.2.5 [SECURITY] #277

Open renovate[bot] opened 7 months ago

renovate[bot] commented 7 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobufjs (source) 7.2.4 -> 7.2.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-36665

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

protobufjs Prototype Pollution vulnerability

CVE-2023-36665 / GHSA-h755-8qp9-cq85

More information #### Details protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about `Object.constructor.prototype. = ...;` whereas CVE-2022-25878 was about `Object.__proto__. = ...;` instead. #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-36665](https://nvd.nist.gov/vuln/detail/CVE-2023-36665) - [https://github.com/protobufjs/protobuf.js/issues/1918#issuecomment-1723500294](https://redirect.github.com/protobufjs/protobuf.js/issues/1918#issuecomment-1723500294) - [https://github.com/protobufjs/protobuf.js/pull/1899](https://redirect.github.com/protobufjs/protobuf.js/pull/1899) - [https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d](https://redirect.github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d) - [https://github.com/protobufjs/protobuf.js](https://redirect.github.com/protobufjs/protobuf.js) - [https://github.com/protobufjs/protobuf.js/commits/release-6.11.4](https://redirect.github.com/protobufjs/protobuf.js/commits/release-6.11.4) - [https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4](https://redirect.github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4) - [https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4](https://redirect.github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4) - [https://security.netapp.com/advisory/ntap-20240628-0006](https://security.netapp.com/advisory/ntap-20240628-0006) - [https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665](https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-h755-8qp9-cq85) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

protobufjs/protobuf.js (protobufjs) ### [`v7.2.5`](https://redirect.github.com/protobufjs/protobuf.js/blob/HEAD/CHANGELOG.md#725-2023-08-21) [Compare Source](https://redirect.github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.4...protobufjs-v7.2.5) ##### Bug Fixes - crash in comment parsing ([#​1890](https://redirect.github.com/protobufjs/protobuf.js/issues/1890)) ([eaf9f0a](https://redirect.github.com/protobufjs/protobuf.js/commit/eaf9f0a5a4009a8981c69af78365dfc988ed925b)) - deprecation warning for new Buffer ([#​1905](https://redirect.github.com/protobufjs/protobuf.js/issues/1905)) ([e93286e](https://redirect.github.com/protobufjs/protobuf.js/commit/e93286ef70d2e673c341ac08a192cc2abe6fd2eb)) - possible infinite loop when parsing option ([#​1923](https://redirect.github.com/protobufjs/protobuf.js/issues/1923)) ([f2a8620](https://redirect.github.com/protobufjs/protobuf.js/commit/f2a86201799af5842e1339c22950abbb3db00f51))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] commented 7 months ago

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: yarn.lock
Type Error: URL.canParse is not a function
    at parseSpec (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23359:21)
    at loadSpec (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23422:11)
    at async Engine.findProjectSpec (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23606:22)
    at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23660:20)
    at async BinaryCommand.validateAndExecute (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:21164:22)
    at async _Cli.run (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22139:18)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.26.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:24371:12)
changeset-bot[bot] commented 7 months ago

⚠️ No Changeset found

Latest commit: 5cbcac2eccc5d36bcf9e3b6eb919575b36efcb1b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

renovate[bot] commented 4 months ago

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: yarn.lock
/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22095
  const isURL = URL.canParse(range);
                    ^

TypeError: URL.canParse is not a function
    at parseSpec (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22095:21)
    at loadSpec (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22158:11)
    at async Engine.findProjectSpec (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22348:22)
    at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22404:24)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23096:5)

Node.js v18.14.2