search

cisagov / crossfeed

External monitoring for organization assets
https://docs.crossfeed.cyber.dhs.gov
Creative Commons Zero v1.0 Universal
373 stars 54 forks source link

Fix vulnerabilities #1288

Open epicfaace opened 2 years ago

epicfaace commented 2 years ago

Steps:

Run:

cd frontend
snyk auth
snyk test

Then see which dependencies are vulnerable and try to update the ones that are vulnerable. Make a PR with these updates.

We should do the same thing in the frontend and docs folder. I already fixed the vulnerabilities in the backend folder.

epicfaace commented 2 years ago

Each dependency you update, I would make a PR.

``` snyk iac test . ```
epicfaace commented 2 years ago

Snyk notes:

Vuln notes:

Vulnerability details:

Issues with no direct upgrade or patch: ✗ Improper Input Validation [Critical Severity][https://snyk.io/vuln/SNYK-JS-CLASSVALIDATOR-1730566] in class-validator@0.13.1 introduced by class-validator@0.13.1 No upgrade or patch available

Mitigation steps: We set forbidUnknownValues equal to true in the code, which is sufficient to mitigate this vulnerability in our use case (see https://github.com/typestack/class-validator#passing-options and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18413).

Vulnerability details:

Use After Free Vulnerable module: glibc/libc-bin Introduced through: glibc/libc-bin@2.31-13 and glibc/libc6@2.31-13 Detailed paths Introduced through: node@14.17-bullseye-slim › glibc/libc-bin@2.31-13 Introduced through: node@14.17-bullseye-slim › glibc/libc6@2.31-13 NVD Description Note: Versions mentioned in the description apply to the upstream glibc package.

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Status: Mitigated

Mitigation steps: The Docker base image with this vulnerability is only deployed on production through the workers, which are ephemeral and are used to conduct the scans. Moreover, this vulnerability is unlikely to be exploited in our use case; exploitation steps (and there are no known applications that have all these pre-requisites) are described in https://access.redhat.com/security/cve/cve-2021-33574. Finally, we are unable to use a different base image because we use third-party libraries that require using Node 14, and node:14-bullseye-slim is the most up-to-date official Node Docker image we can use that has Node 14.