Closed mmeknowis closed 2 years ago
kareem-elsayed
commented
2 years ago @Flydiverny That is important same as the migration from KES to ESO Can someone give some time to fix it, KES is still under limited maintenance as already mentioned in the last release note Thanks a lot.
Flydiverny
commented
2 years ago CVE-2022-0155 was fixed in 8.5.2 CVE-2022-0122 and WS-2022-0008 looks incorrect as it applies for node-forge <1, while we are on 1.2.1, code paths are potentially hit if you use akeyless.
KES does not have any dedicated or active maintainer
I'll make sure to remove the limited maintenance part 😉
Flydiverny
commented
2 years ago Forgot to mention that I made a new release 8.5.5 as well. 😄 There were 2 new reports for the same node-forge dependency
Hello,
current 8.5.1 has a High vulnerable dependency as per our scans. Its a sub-dependency of axios:
CVE-2022-0155: follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Helpful links: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-0155 https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/ https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
Additionally we found 2 medium vulnerabilities:
CVE-2022-0122: https://nvd.nist.gov/vuln/detail/CVE-2022-0122 WS-2022-0008: https://vuln.whitesourcesoftware.com/vulnerability-database/WS-2022-0008
Could you check if I am right?
Thanks a lot.