higs4281
commented
7 years ago This has been raised as a broader issue with the platform team.
Open lfatty opened 7 years ago
higs4281
commented
7 years ago This has been raised as a broader issue with the platform team.
sebworks
commented
7 years ago @lfatty, what tool was used to find this vulnerability?
lfatty
commented
7 years ago @sebworks, https://snyk.io/ was used to testing the dependencies.
ascott1
commented
7 years ago @sebworks installing snyk globally and running snyk wizard should apply patches for all of the impacted dependencies
sebworks
commented
7 years ago ok, just thought he might have been using an alternative tool. Thanks all.
High severity Vulnerable module: minimatch Detailed paths
Introduced through: retirement@cfpb/retirement#ebcfc7198ec2a9d390ea7f884a931f25dffe1646 › gulp@3.9.1 › vinyl-fs@0.3.14 › glob-stream@3.1.18 › minimatch@2.0.10 Introduced through: retirement@cfpb/retirement#ebcfc7198ec2a9d390ea7f884a931f25dffe1646 ›
minimatch is a minimalistic matching library used for converting glob expressions into JavaScript RegExp objects.
An attacker can provide a long value to the minimatch function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time."