botbuilder-4.22.3.tgz: 2 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github[bot]]

Vulnerable Library - botbuilder-4.22.3.tgz

Path to dependency file: /ai/copilot/contoso-real-state-msg-extension/package.json

Path to vulnerable library: /ai/copilot/contoso-real-state-msg-extension/package.json

Found in HEAD commit: c27524e670d3ab98f2167091ca55e4795d6dd6c8

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (botbuilder version)	Remediation Possible**
CVE-2024-39338	High	7.5	axios-1.7.3.tgz	Transitive	N/A*	❌
CVE-2024-35255	Medium	5.5	identity-2.1.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39338

### Vulnerable Library - axios-1.7.3.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.7.3.tgz

Path to dependency file: /ai/copilot/contoso-real-state-msg-extension/package.json

Path to vulnerable library: /ai/copilot/contoso-real-state-msg-extension/package.json

Dependency Hierarchy: - botbuilder-4.22.3.tgz (Root Library) - :x: **axios-1.7.3.tgz** (Vulnerable Library)

Found in HEAD commit: c27524e670d3ab98f2167091ca55e4795d6dd6c8

Found in base branch: main

### Vulnerability Details

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Publish Date: 2024-08-09

URL: CVE-2024-39338

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-8hc4-vh64-cxmj

Release Date: 2024-08-09

Fix Resolution: axios - 1.7.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-35255

### Vulnerable Library - identity-2.1.0.tgz

Provides credential implementations for Azure SDK libraries that can authenticate with Azure Active Directory

Library home page: https://registry.npmjs.org/@azure/identity/-/identity-2.1.0.tgz

Path to dependency file: /ai/copilot/contoso-real-state-msg-extension/package.json

Path to vulnerable library: /ai/copilot/contoso-real-state-msg-extension/package.json

Dependency Hierarchy: - botbuilder-4.22.3.tgz (Root Library) - botframework-connector-4.22.3.tgz - :x: **identity-2.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: c27524e670d3ab98f2167091ca55e4795d6dd6c8

Found in base branch: main

### Vulnerability Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Publish Date: 2024-06-11

URL: CVE-2024-35255

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9

Release Date: 2024-06-11

Fix Resolution: @azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)