norman-abramovitz
commented
5 months ago Stratus being updated will done over the next couple of months.
Open slcardinal opened 1 year ago
norman-abramovitz
commented
5 months ago Stratus being updated will done over the next couple of months.
liquid-matra
commented
2 months ago most of these vulnerabilities can be auto-fixed
24 vulnerabilities (1 low, 7 moderate, 16 high)
details
body-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via npm audit fix
node_modules/body-parser
node_modules/express/node_modules/body-parser
express <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/express
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via npm audit fix
node_modules/braces
es5-ext 0.10.1 - 0.10.62
es5-ext vulnerable to Regular Expression Denial of Service in function#copy and function#toStringTokens - https://github.com/advisories/GHSA-4gmj-3p3h-gm8h
fix available via npm audit fix
node_modules/es5-ext
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via npm audit fix
node_modules/follow-redirects
ip *
Severity: high
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via npm audit fix
node_modules/ip
micromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via npm audit fix
node_modules/micromatch
path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via npm audit fix
node_modules/path-to-regexp
rollup <3.29.5
Severity: high
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - https://github.com/advisories/GHSA-gcx4-mw62-g8wm
fix available via npm audit fix --force
Will install ng-packagr@18.2.1, which is a breaking change
node_modules/rollup
@rollup/plugin-json <=4.1.0
Depends on vulnerable versions of @rollup/pluginutils
Depends on vulnerable versions of rollup
node_modules/@rollup/plugin-json
ng-packagr <=15.0.1
Depends on vulnerable versions of @rollup/plugin-json
Depends on vulnerable versions of @rollup/plugin-node-resolve
Depends on vulnerable versions of rollup
Depends on vulnerable versions of rollup-plugin-sourcemaps
node_modules/ng-packagr
@angular-devkit/build-angular <=16.2.14 || 17.0.0-next.0 - 17.3.8 || 18.0.0-next.0 - 18.2.1 || 19.0.0-next.0 - 19.0.0-next.1
Depends on vulnerable versions of ng-packagr
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-middleware
node_modules/@angular-devkit/build-angular
@angular-builders/custom-webpack 11.1.2-beta.0 - 15.0.0
Depends on vulnerable versions of @angular-devkit/build-angular
node_modules/@angular-builders/custom-webpack
@rollup/plugin-node-resolve <=14.1.0
Depends on vulnerable versions of @rollup/pluginutils
Depends on vulnerable versions of rollup
node_modules/@rollup/plugin-node-resolve
@rollup/pluginutils <=4.1.0
Depends on vulnerable versions of rollup
node_modules/@rollup/pluginutils
rollup-plugin-sourcemaps >=0.5.0
Depends on vulnerable versions of @rollup/pluginutils
node_modules/rollup-plugin-sourcemaps
send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via npm audit fix
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via npm audit fix
node_modules/tar
webpack 5.0.0-alpha.0 - 5.93.0
Severity: moderate
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@18.2.5, which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/webpack
node_modules/webpack
webpack-dev-middleware <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@18.2.5, which is a breaking change
node_modules/webpack-dev-middleware
ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via npm audit fix
node_modules/ws
engine.io 0.7.8 - 0.7.9 || 6.0.0 - 6.5.4
Depends on vulnerable versions of ws
node_modules/engine.io
socket.io-adapter 2.5.2 - 2.5.4
Depends on vulnerable versions of ws
node_modules/socket.io-adapter
In addition to the following findings, the go version itself v1.21 is unsupported now (latest: v1.23)
Vulnerability #1: GO-2024-3106 Stack exhaustion in Decoder.Decode in encoding/gob More info: https://pkg.go.dev/vuln/GO-2024-3106 Standard library Found in: encoding/gob@go1.21.13 Fixed in: encoding/gob@go1.22.7 Example traces found:
Vulnerability #2: GO-2024-2687 HTTP/2 CONTINUATION flood in net/http More info: https://pkg.go.dev/vuln/GO-2024-2687 Module: golang.org/x/net Found in: golang.org/x/net@v0.17.0 Fixed in: golang.org/x/net@v0.23.0 Example traces found:
#2: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.ErrCode.String
#3: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
#4: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.FrameType.String
#5: main.go:347:58: jetstream.main calls http2.GoAwayError.Error
#6: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.Setting.String
#7: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.SettingID.String
#8: main.go:347:58: jetstream.main calls http2.StreamError.Error
#9: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http.http2transportResponseBody.Close, which eventually calls http2.chunkWriter.Write
#10: main.go:347:58: jetstream.main calls http2.connError.Error
#11: main.go:347:58: jetstream.main calls http2.duplicatePseudoHeaderError.Error
#12: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http2.gzipReader.Close
#13: plugins/userinvite/invite.go:260:29: userinvite.UserInvite.UAAUserInvite calls ioutil.ReadAll, which eventually calls http2.gzipReader.Read
#14: main.go:347:58: jetstream.main calls http2.headerFieldNameError.Error
#15: main.go:347:58: jetstream.main calls http2.headerFieldValueError.Error
#16: main.go:347:58: jetstream.main calls http2.pseudoHeaderError.Error
#17: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http.http2transportResponseBody.Close, which eventually calls http2.stickyErrWriter.Write
#18: plugins/cloudfoundry/main.go:225:3: cloudfoundry.CloudFoundrySpecification.Info calls http2.transportResponseBody.Close
#19: plugins/userinvite/invite.go:260:29: userinvite.UserInvite.UAAUserInvite calls ioutil.ReadAll, which eventually calls http2.transportResponseBody.Read
#20: repository/cnsis/pgsql_cnsis.go:354:63: cnsis.PostgresCNSIRepository.Save calls fmt.Sprintf, which eventually calls http2.writeData.StringVulnerability #3: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found:
#2: plugins/cloudfoundry/cf_websocket_streams.go:144:42: cloudfoundry.relayRecentLogsFromCache calls log.Client.Read, which eventually calls json.Decoder.Read
#3: plugins/cloudfoundry/cf_websocket_streams.go:144:42: cloudfoundry.relayRecentLogsFromCache calls log.Client.Read, which eventually calls protojson.UnmarshalOptions.UnmarshalYour code is affected by 3 vulnerabilities from 2 modules and the Go standard library. This scan also found 2 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details.
Stratos Version
Version: 4.4.0
Frontend Deployment type
Backend (Jet Stream) Deployment type
Expected behaviour
Address Critical applicaiton dependency vulnerabilities.
I am not a developer, I just support the Stratos UI that is used with our internal deployment of Cloud Foundry. We have clone of this repository in our Enterprise Version of GitHub and our security team has enabled Dependabot to help with vulnerabilities. Due to these critical vulnerabilities, we have been asked to stop using this UI as part of our Cloud Foundry deployment. We would like to continue to use Stratos, as our internal customers prefer Stratos to the home grown Cloud Foundry UI that was developed. Would someone in the community be willing to have a look at remeidating the application dependencies in the Stratos UI?
Actual behaviour
Need to have Dependabot recommendations resolved.
Steps to reproduce the behavior
Turn on dependabot recommendations for the community repostiory for Stratos.
Log output covering before error and any error statements
Detailed Description
Context
Possible Implementation