search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
47.03k stars 3.19k forks source link

CVE-2023-32695 reported in Trivy scan while cypress 13.3.3 version runs #28156

Closed eagle-txec closed 4 months ago

eagle-txec commented 1 year ago

Current behavior

Getting this CVE-2023-32695 vulnerability while i run trivy for image scanning for the cypress 13.3.3 and previous versions. A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation, current version: 4.0.5

Desired behavior

upgrade the version 4.2.3, 3.4.3

Test code to reproduce

none

Cypress Version

13.3.3

Node version

16.20.2

Operating System

16.20.2

Debug Logs


operating system ubuntu:lunar

          "VulnerabilityID": "CVE-2023-32695",
          "InstalledVersion": "4.0.5",
          "LastModifiedDate": "2023-06-05T15:54:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V3Score": 7.5,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "ghsa": {
              "V3Score": 7.3,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "socket.io-parser@4.0.5",
          "Title": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...",
          "CweIDs": [
            "CWE-754"
          ],
          "Status": "fixed",
          "PkgName": "socket.io-parser",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/@packages/socket/node_modules/socket.io-parser/package.json",
          "Severity": "HIGH",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32695",
          "References": [
            "https://github.com/socketio/socket.io-parser",
            "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9",
            "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced",
            "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3",
            "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3",
            "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-32695"
          ],
          "Description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n",
          "FixedVersion": "4.2.3, 3.4.3",
          "PublishedDate": "2023-05-27T16:15:00Z",
          "SeveritySource": "ghsa",
          "VulnerabilityID": "CVE-2023-32695",
          "InstalledVersion": "4.0.5",
          "LastModifiedDate": "2023-06-05T15:54:00Z"

### Other

_No response_
cypress-app-bot commented 5 months ago

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

cypress-app-bot commented 4 months ago

This issue has been closed due to inactivity.

CraigKnottAtlassian commented 3 weeks ago

👀