Open epicfaace opened 2 years ago
Each dependency you update, I would make a PR.
Snyk notes:
Vuln notes:
Vulnerability details:
Issues with no direct upgrade or patch: ✗ Improper Input Validation [Critical Severity][https://snyk.io/vuln/SNYK-JS-CLASSVALIDATOR-1730566] in class-validator@0.13.1 introduced by class-validator@0.13.1 No upgrade or patch available
Mitigation steps: We set forbidUnknownValues
equal to true in the code, which is sufficient to mitigate this vulnerability in our use case (see https://github.com/typestack/class-validator#passing-options and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18413).
Vulnerability details:
Use After Free Vulnerable module: glibc/libc-bin Introduced through: glibc/libc-bin@2.31-13 and glibc/libc6@2.31-13 Detailed paths Introduced through: node@14.17-bullseye-slim › glibc/libc-bin@2.31-13 Introduced through: node@14.17-bullseye-slim › glibc/libc6@2.31-13 NVD Description Note: Versions mentioned in the description apply to the upstream glibc package.
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
Status: Mitigated
Mitigation steps: The Docker base image with this vulnerability is only deployed on production through the workers, which are ephemeral and are used to conduct the scans. Moreover, this vulnerability is unlikely to be exploited in our use case; exploitation steps (and there are no known applications that have all these pre-requisites) are described in https://access.redhat.com/security/cve/cve-2021-33574. Finally, we are unable to use a different base image because we use third-party libraries that require using Node 14, and node:14-bullseye-slim is the most up-to-date official Node Docker image we can use that has Node 14.
Steps:
Run:
Then see which dependencies are vulnerable and try to update the ones that are vulnerable. Make a PR with these updates.
We should do the same thing in the
frontend
anddocs
folder. I already fixed the vulnerabilities in thebackend
folder.