Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-0842 medium vulnerability reported against latest release 0.4.23 #663

Closed
wnm3 opened this issue Apr 6, 2023 · 15 comments
Closed

Comments

@wnm3
Copy link

wnm3 commented Apr 6, 2023

Today we started getting notifications for xml2js libraries having a medium vulnerability. I'd been using an older version 0.4.19 so forced updates to the latest 0.4.23 but the vulnerability remains with the current version. I know these are often debated whether they represent real problems, but if there is a fix you could issue that would be great. Thanks in advance for your help.

The problem reported by our monitoring system (whitesource/Mend) provided this detail:
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

It seems the fix is to disallow keys for proto from XML content to be added in the js object...

NIST just shows this as awaiting analysis: https://nvd.nist.gov/vuln/detail/CVE-2023-0842

@cspotcode
Copy link

This affects users of the latest aws-sdk v2, since it directly depends on xml2js.
https://www.npmjs.com/package/aws-sdk?activeTab=dependencies

xml2js was most recently published in 2019, but the most recent code changes were merged in 2020, docs changes merged more recently than that.
https://www.npmjs.com/package/xml2js?activeTab=versions
https://github.com/Leonidas-from-XIV/node-xml2js/commits/master

@Fotiman
Copy link

Fotiman commented Apr 7, 2023

This provides a great example for reproducing the vulnerability:
https://fluidattacks.com/advisories/myers/

@cspotcode
Copy link

That report says that on 2023-02-14 "Vendor replied acknowledging the report" but I'm not sure if that means a fix is planned or not.

@dmattia
Copy link

dmattia commented Apr 7, 2023

Github's advisory lists this as high severity: GHSA-776f-qx25-q3cc

@tambor81
Copy link

tambor81 commented Apr 8, 2023

we found this CVE-2023-0842 reported as HIGH in our daily build breaking for this library (our build breaks only for High and critical), it shouldn't be high!, because it depends on protractor (for e2e tests or unit tests) which is EOL, webdriver and other deprecated libraries

Protractor is EOL and will be removed from @angular-devkit/build-angular on Angular 16...,

is anybody fixing this?

@matthewmayer
Copy link

Obligatory XKCD

image

@Arisamiga
Copy link

There has been a Pull Request open #603 that is a fix for this vulnerability sense 2021

@OIRNOIR
Copy link

OIRNOIR commented Apr 8, 2023

I wish there was a facepalm reaction. We could have fixed the vulnerability a long time ago.

@yuameshi
Copy link

yuameshi commented Apr 9, 2023

any updates? expo is affacted too

@Leonidas-from-XIV
Copy link
Owner

I've merged #603 and published xml2js 0.5.0 to NPM. Also updated some dependency versions on the way, but need to look into this closer why requests is part of the dependency cone to start with.

@wnm3
Copy link
Author

wnm3 commented Apr 10, 2023

Thank you -- I'd had to switch from request to got

@matthewmayer
Copy link

could you push a 0.5.0 tag to Github https://github.com/Leonidas-from-XIV/node-xml2js/tags ?

@Leonidas-from-XIV
Copy link
Owner

Leonidas-from-XIV commented Apr 10, 2023 via email

@Leonidas-from-XIV
Copy link
Owner

Pushed the tag.

achingbrain pushed a commit to achingbrain/ssdp that referenced this issue Apr 27, 2023
github-actions bot pushed a commit to achingbrain/ssdp that referenced this issue Apr 27, 2023
@scott-korin
Copy link

scott-korin commented May 5, 2023

This affects users of the latest aws-sdk v2, since it directly depends on xml2js.

FYI, it's probably a good idea to upgrade to aws-sdk 3, since v2 will be going into maintenance mode this year. And yeah, I know how big of a PITA that might be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests