Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability check reported failure on main - Tue Jul 19 00:48:59 UTC 2022 - undici CVE-2022-32210 #10

Closed
mhdawson opened this issue Jul 19, 2022 · 7 comments
Closed

Vulnerability check reported failure on main - Tue Jul 19 00:48:59 UTC 2022 - undici CVE-2022-32210 #10

mhdawson opened this issue Jul 19, 2022 · 7 comments

Comments

@mhdawson
Copy link
Member

https://github.com/mhdawson/nodejs-dependency-vuln-assessments/actions/runs/2694426919
WARNING: New vulnerabilities found
@mhdawson
Copy link
Member Author

Full error message:

WARNING: New vulnerabilities found

  • undici (version 5.8.0) :
  • Check that the dependency's version printed by the script corresponds to the version present in the Node repo.
    If not, update dependencies.py with the actual version number and run the script again.
  • If the version is correct, check the vulnerability's description to see if it applies to the dependency as
    used by Node. If not, the vulnerability ID (either a CVE or a GHSA) can be added to the ignore list in
    dependencies.py. IMPORTANT: Only do this if certain that the vulnerability found is a false positive.
  • Otherwise, the vulnerability found must be remediated by updating the dependency in the Node repo to a
    non-affected version, followed by updating dependencies.py with the new version.

@mhdawson
Copy link
Member Author

@mcollina I believe you already confirmed that this does not affect Node.js, can you confirm that here.

My understanding is that we will update the version of undici in Node.js but that that will happen as part of regular releases since Node.js is not affectected.

@mhdawson mhdawson changed the title Vulnerability check reported failure on main - Tue Jul 19 00:48:59 UTC 2022 Vulnerability check reported failure on main - Tue Jul 19 00:48:59 UTC 2022 - CVE-2022-32210 Jul 19, 2022
@mhdawson mhdawson changed the title Vulnerability check reported failure on main - Tue Jul 19 00:48:59 UTC 2022 - CVE-2022-32210 Vulnerability check reported failure on main - Tue Jul 19 00:48:59 UTC 2022 - undici CVE-2022-32210 Jul 19, 2022
@mcollina
Copy link
Member

Yes exactly. fetch() has a few more protection than the lower level APIs.

@mhdawson
Copy link
Member Author

@mcollina thanks for confirming. We'll leave this open as documentation of that until we have updates in the relevant Node.js versions.

@mcollina
Copy link
Member

I think something in the script or in the advisory is incorrect.
Node.js has already been updated to v5.8.0, which is significantly past that. nodejs/node#43886

@facutuesca
Copy link
Contributor

facutuesca commented Jul 20, 2022
edited
Loading

It looks like NVD published the advisory but has not yet updated all the information (like the specific range of affected versions):

UNDERGOING ANALYSIS
This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary.

Since there is no version specified, it's considered a vulnerability in all versions (at least from the point of view of querying the NVD API)

@mhdawson mhdawson mentioned this issue Aug 3, 2022
Closed
@mhdawson
Copy link
Member Author

mhdawson commented Aug 3, 2022

closing in favor of - #45

@mhdawson mhdawson closed this as completed Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcollina @facutuesca @mhdawson