search

docusign / docusign-esign-node-client

The Official DocuSign Node.js Client Library used to interact with the eSign REST API. Send, sign, and approve documents using this client.
http://docusign.github.io/docusign-esign-node-client
MIT License
144 stars 99 forks source link

Security Vulnerability : pac-resolver #335

Closed Adhikaripr closed 1 month ago

Adhikaripr commented 10 months ago

Introduced through: docusign-esign@6.4.0 › superagent-proxy@2.1.0 › proxy-agent@4.0.1 › pac-proxy-agent@4.1.0 › pac-resolver@4.2.0

Overview Affected versions of this package are vulnerable to Remote Code Execution (RCE). This can occur when used with untrusted input, due to unsafe PAC file handling.

In order to exploit this vulnerability in practice, this either requires an attacker on your local network, a specific vulnerable configuration, or some second vulnerability that allows an attacker to set your config values. https://security.snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857

Remediation Upgrade pac-resolver to version 5.0.0 or higher.

cbsdsdevsup commented 10 months ago

Hi Adhikaripr,

Thank you for contacting DocuSign Developer Support.  We have raised this internally and will let you know as soon as we have an update.

Best regards, Conar | DocuSign Developer Support

OscarGodson commented 10 months ago

Any updates on this? In this particular case is this not an issue or if it's an issue are there recommendation temporary remediations?

Screenshot 2023-09-11 at 12 46 51 PM
annesophien commented 9 months ago

Any updates on this? In this particular case is this not an issue or if it's an issue are there recommendation temporary remediations?

Screenshot 2023-09-11 at 12 46 51 PM

Hi @OscarGodson, our team has a ticket to address the security vulnerability introduced by pac-resolver and have prioritized the fix in our next sprint. In the meantime, you and can remediate the vulnerability by upgrading pac-resolver to version 5.0.0 or higher.

OscarGodson commented 9 months ago

We don't use pac resolver so it's not in our package.json so I'm not sure how to upgrade it.

cbsdsdevsup commented 9 months ago

Hi @OscarGodson ,

It is actually "superagent-proxy@2.1.0" (in the package.json) whose dependencies (proxy-agent@4.0.1 -> pac-proxy-agent@4.1.0 -> pac-resolver@4.2.0) uses pac-resolver. So you can either upgrade superagent-proxy to 3.0.0 or downgrade the docusign-esign package to 6.3.0.

package.json "superagent-proxy": "^2.0.0"

Let us know if you are happy for us to close this case.

Best regards, Conar | DocuSign Developer Support

juniorp07 commented 8 months ago

Is there an update regarding the pac-resolver vulnerability. Can we get a status update on the fix? Has it been addressed in the recent sprint as mentioned?

Thanks for keeping us informed.

comp615 commented 7 months ago

@annesophien @cbsdsdevsup this seems like a pretty straight forward fix. But it looks like the pac-resolver fix was deployed and then rolled back. Do you have an update on what's going on here? It's taken 3 months to resolve which is a little disconcerting.

joaomvfsantos commented 7 months ago

It seems that this was fixed on 6.3.0 and is back on 6.5.1.

sonawane-sanket commented 1 month ago

Hello All,

We've removed the vulnerability and You can now access the updated version, here 6.6.0-rc2.

Please find further updates in this issue

sonawane-sanket commented 1 month ago

We're excited to announce the release of the public version 7.0.0. We encourage you to upgrade and check out the changelog here.