search

magento / pwa-studio

🛠Development tools to build, optimize and deploy Progressive Web Applications for Magento 2.
https://developer.adobe.com/commerce/pwa-studio/
Open Software License 3.0
1.07k stars 683 forks source link

PWA-3370::github.com/magento/pwa-studio Dependency Updates #4340

Closed glo82145 closed 1 day ago

glo82145 commented 1 month ago

Description

Hey PSIRT, can you issue tickets for the following issue in dependencies reported by a customer:

https://github.com/magento/pwa-studio

I have identified two issues in PWA-Studio that also end up in the final client bundle and could potentially be exploited by a hacker I have a patch and have smoke-tested the frontend. 

 ** 

Here are the details of the vulnerabilities:

 
 

Package Name | Title | Vulnerability ID | Installed | Fixed Version | URL -- | -- | -- | -- | -- | -- path-to-regexp | Backtracking regular expressions cause ReDoS | CVE-2024-45296 | 0.1.7 | 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | Link path-to-regexp | Backtracking regular expressions cause ReDoS | CVE-2024-45296 | 01.08.00 | 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 | Link qs | Prototype poisoning causes the hang of the node process | CVE-2022-24999 | 06.05.02 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1 | Link qs | Prototype poisoning causes the hang of the node process | CVE-2022-24999 | 06.05.02 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1 | Link

 

 For More Details dev can go through https://jira.corp.adobe.com/browse/VULN-29466 and https://jira.corp.adobe.com/browse/MAGREQ-12574

Related Issue

Closes https://jira.corp.adobe.com/browse/PWA-3370

Acceptance

Verification Stakeholders

Specification

Verification Steps

Test scenario(s) for direct fix/feature

Test scenario(s) for any existing impacted features/areas

Test scenario(s) for any Magento Backend Supported Configurations

Is Browser/Device testing needed?

Any ad-hoc/edge case scenarios that need to be considered?

Screenshots / Screen Captures (if appropriate)

Breaking Changes (if any)

Checklist

pwa-studio-bot commented 1 month ago
Messages
:book: Associated JIRA tickets: [CVE-2024](https://jira.corp.magento.com/browse/CVE-2024).
:book: DangerCI Failures related to missing labels/description/linked issues/etc will persist until the next push or next pr-test build run (assuming they are fixed).
:book: Access a deployed version of this PR [here](https://pr-4340.pwa-venia.com/). Make sure to wait for the "pwa-pull-request-deploy" job to complete.

Generated by :no_entry_sign: dangerJS against 9aa0cf90d5783bec49cac87e11ea6dea71a21309