search

mariocasciaro / object-path

A tiny JavaScript utility to access deep properties using a path (for Node and the Browser)
MIT License
1.06k stars 84 forks source link

0.11.5 Security Vulnerability #105

Closed AlAyoub closed 4 years ago

AlAyoub commented 4 years ago

Hi @mariocasciaro ,

I know 0.11.5 was version bumped to patch a security issue, however, I am seeing that 0.11.5 is also vulnerable and there is no secure version available. Is this something you are aware of? If so, is there a fix coming soon? Thank you.

mariocasciaro commented 4 years ago

Hi Alan, do you have a proof of concept? Or can you elaborate a little bit more?

On Mon, Nov 9, 2020, 04:20 Alan Ayoub notifications@github.com wrote:

Hi @mariocasciaro https://github.com/mariocasciaro ,

I know 0.11.5 was version bumped to patch a security issue, however, I am seeing that 0.11.5 is also vulnerable and there is no secure version available. Is this something you are aware of? If so, is there a fix coming soon? Thank you.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mariocasciaro/object-path/issues/105, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAZWZ7KLUNVM47YNLJBIYDSO5UZNANCNFSM4TOZ7XAA .

AlAyoub commented 4 years ago

@mariocasciaro - I apologize, this might be premature. Sonar currently shows no secure version. I am in touch with Sonar and they are doing another analysis on 0.11.5. It may be that they have not completed their assessment on 0.11.5. I will update here once Sonar gives me an update.

AlAyoub commented 4 years ago

@mariocasciaro it turns out that Sonar was doing maintenance on their script and they have now manually confirmed that 0.11.5 is indeed secure.

I truly apologize for the assumption without investigating further with Sonar.