Critical vulnerability - Formidable arbitrary file upload #2167
Comments
workato-integration
bot
changed the title
|
Hi. Yes, we don't own this but I'll try to find out who does internally and move this issue to the appropriate place. |
|
Hi, thanks @bizob2828 |
|
CVE-2022-29622 was revoked by Snyk, but does still appear in other vulnerability databases as the NVD themselves never revoked their entry. The contributors over on formidable had a long thread about this vulnerability a couple years ago. The general opinion over there seems to be that the vulnerability was filed in error. But there was an open question if the vulnerability was completely invalid or if it was valid, but actually at a lower risk level. For us, I don't see a need to dive any deeper into the issue. Our version of formidable is out of date, and we will update it in an upcoming release of @newrelic/publish-sourcemap—likely it will be version 5.1.2. |
|
Vulnerability resolved in [email protected] |
Description
There is a critical vulnerability for the @newrelic/publish-sourcemap library and it's getting picked up by our security scans and could become a blocker as the scans could block the ability to deploy. I know that this might not be the right place for the bug report but I was not able to find the right repository on Github in order to file this issue. Perhaps someone can help in reaching the team responsible for maintaining @newrelic/publish-sourcemap?
Expected Behavior
Vulnerability should be patched by updating formidable dependency to >=3.2.4
Troubleshooting or NR Diag results
Steps to Reproduce
Install @newrelic/publish-sourcemap package and run npm or yarn audit to get the critical violation report
Your Environment
Additional context
https://www.npmjs.com/advisories/1097147
The text was updated successfully, but these errors were encountered: