-
Notifications
You must be signed in to change notification settings - Fork 605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-0842 medium vulnerability reported against latest release 0.4.23 #663
Comments
This affects users of the latest aws-sdk v2, since it directly depends on xml2js. xml2js was most recently published in 2019, but the most recent code changes were merged in 2020, docs changes merged more recently than that. |
This provides a great example for reproducing the vulnerability: |
That report says that on 2023-02-14 "Vendor replied acknowledging the report" but I'm not sure if that means a fix is planned or not. |
Github's advisory lists this as high severity: GHSA-776f-qx25-q3cc |
we found this CVE-2023-0842 reported as HIGH in our daily build breaking for this library (our build breaks only for High and critical), it shouldn't be high!, because it depends on protractor (for e2e tests or unit tests) which is EOL, webdriver and other deprecated libraries Protractor is EOL and will be removed from @angular-devkit/build-angular on Angular 16..., is anybody fixing this? |
There has been a Pull Request open #603 that is a fix for this vulnerability sense 2021 |
I wish there was a facepalm reaction. We could have fixed the vulnerability a long time ago. |
any updates? expo is affacted too |
I've merged #603 and published xml2js 0.5.0 to NPM. Also updated some dependency versions on the way, but need to look into this closer why |
Thank you -- I'd had to switch from request to got |
could you push a 0.5.0 tag to Github https://github.com/Leonidas-from-XIV/node-xml2js/tags ? |
Yes, I will when I'm back home.
|
Pushed the tag. |
Fixes a [recently published vulnerability](GHSA-776f-qx25-q3cc) which was patched in [0.5.0](Leonidas-from-XIV/node-xml2js#663 (comment))
## [4.0.2](v4.0.1...v4.0.2) (2023-04-27) ### Trivial Changes * **deps:** Updated xml2js to 0.5.0 to patch CVE-2023-0842 ([#43](#43)) ([fa5086f](fa5086f)), closes [/github.com/Leonidas-from-XIV/node-xml2js/issues/663#issuecomment-1501088667](https://github.com/achingbrain//github.com/Leonidas-from-XIV/node-xml2js/issues/663/issues/issuecomment-1501088667)
FYI, it's probably a good idea to upgrade to aws-sdk 3, since v2 will be going into maintenance mode this year. And yeah, I know how big of a PITA that might be. |
Today we started getting notifications for xml2js libraries having a medium vulnerability. I'd been using an older version 0.4.19 so forced updates to the latest 0.4.23 but the vulnerability remains with the current version. I know these are often debated whether they represent real problems, but if there is a fix you could issue that would be great. Thanks in advance for your help.
The problem reported by our monitoring system (whitesource/Mend) provided this detail:
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
It seems the fix is to disallow keys for proto from XML content to be added in the js object...
NIST just shows this as awaiting analysis: https://nvd.nist.gov/vuln/detail/CVE-2023-0842
The text was updated successfully, but these errors were encountered: