Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: CVE items in opensearch dashboards #1358

Closed
accmt opened this issue Mar 17, 2022 · 3 comments
Closed

[Bug]: CVE items in opensearch dashboards #1358

accmt opened this issue Mar 17, 2022 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@accmt
Copy link

accmt commented Mar 17, 2022

Describe the bug

opensearch-dashboard 1.2.0 has following security issues:
CVE-2022-0144 shelljs fixed in 0.8.5
CVE-2022-0155 follow-redirects fixed in 1.14.7
CVE-2022-23647 prismjs fixed in 1.27.0
CVE-2022-0686 url-parse fixed in 1.5.8
CVE-2022-0235 node-fetch fixed in 2.6.7, 3.1.1

Please upgrade the dependencies to fix these issues.

To reproduce

--

Expected behavior

No response

Screenshots

If applicable, add screenshots to help explain your problem.

Host / Environment

No response

Additional context

No response

Relevant log output

No response

@accmt accmt added bug Something isn't working untriaged labels Mar 17, 2022
@kavilla
Copy link
Member

kavilla commented Mar 17, 2022

For OpenSearch Dashboards we have CVE items:

We try to avoid major version bumps in packages to avoid breaking plugins so for 1.3.0 we have addressed the following: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aclosed+label%3Acve+label%3Av1.3.0, which was just GHSA-r683-j2x4-v87g node-fetch fixed in 2.6.7, 3.1.1.

For 2.0.0 OpenSearch Dashboards we have merged into main and addressed the following: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aclosed+label%3Acve+label%3Av2.0.0. With these still remaining: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aopen+label%3Acve+label%3Av2.0.0+.

I believe we can close this issue as a duplicate and track the specific CVEs with https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aopen+is%3Aissue+label%3Acve when related to OpenSearch Dashboards.

What do you think @accmt?

cc: @tmarkley

@bbarani bbarani transferred this issue from opensearch-project/opensearch-build Mar 17, 2022
@accmt
Copy link
Author

accmt commented Mar 18, 2022

@kavilla thanks for a really quick response. Sorry for reporting into a wrong project and not finding those tickets. This can be closed as you are tracking those well. Thanks a lot!

@tmarkley
Copy link
Contributor

For reference, here's where each CVE is tracked:

CVE-2022-0144 - #1139
CVE-2022-0155 - #1133
CVE-2022-23647 - prismjs was removed in #1300
CVE-2022-0686 - #1266
CVE-2022-0235 - #1162

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants