search

opensearch-project / OpenSearch-Dashboards

📊 Open source visualization dashboards for OpenSearch.
https://opensearch.org/docs/latest/dashboards/index/
Apache License 2.0
1.65k stars 866 forks source link

CVE-2021-23424 (High) detected in ansi-html-0.0.7.tgz #1065

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Dependency Hierarchy: - @osd/ui-framework-1.0.0.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - :x: **ansi-html-0.0.7.tgz** (Vulnerable Library)

Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a

Found in base branch: main

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1

tmarkley commented 2 years ago 
$ yarn why ansi-html
yarn why v1.22.17
[1/4] Why do we have the module "ansi-html"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "ansi-html@0.0.7"
info Reasons this module exists
   - "_project_#@osd#ui-framework#webpack-dev-server" depends on it
   - Hoisted from "_project_#@osd#ui-framework#webpack-dev-server#ansi-html"
   - Hoisted from "_project_#@osd#storybook#@storybook#react#@pmmmwh#react-refresh-webpack-plugin#ansi-html"
info Disk size without dependencies: "40KB"
info Disk size with unique dependencies: "40KB"
info Disk size with transitive dependencies: "40KB"
info Number of shared dependencies: 0
Done in 1.92s.

Need to upgrade webpack-dev-server >4.1.1. That along with removing the storybook dependencies in #1171 will remove the ansi-html dependency.