-
Notifications
You must be signed in to change notification settings - Fork 898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-29622 (High) detected in formidable-2.0.1.tgz - autoclosed #1593
Comments
|
|
This CVE is still undergoing analysis by NVD - it's unclear if Dashboards is impacted. |
`useExpandedHeade`r instead of `useExpandedMenu` fixes opensearch-project#1593 Signed-off-by: Josh Romero <[email protected]>
|
Currently |
The fix is to bump formidable to v3.2.4+ Currently [email protected] is using [email protected]. The latest superagent is still using Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md I think the solution is to resolve it to v3.2.4 but no backport. This CVE should be fixed in 3.0.0 due to breaking changes. |
Currently the latest superagent still uses [email protected] which causes the security issue. https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27 Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md In this PR, we resolve formidable to 3.2.4+. The fix will not be backported to 2.x. Issue Resolved: opensearch-project#1593 Signed-off-by: Anan Zhuang <[email protected]>
Currently the latest superagent still uses [email protected] which causes the security issue. https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27 Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md In this PR, we resolve formidable to 3.2.4+. The fix will not be backported to 2.x. Issue Resolved: opensearch-project#1593 Signed-off-by: Anan Zhuang <[email protected]>
Issue:
At the meantime I found some other discussion on References
Summary
cc @ananzh @tmarkley @joshuarrrr @kavilla any thoughts? |
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
CVE-2022-29622 - High Severity Vulnerability
Vulnerable Library - formidable-2.0.1.tgz
A node.js module for parsing form data, especially file uploads.
Library home page: https://registry.npmjs.org/formidable/-/formidable-2.0.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled.
Mend Note: After conducting further research, Mend has determined that this is a controversial case - Mend security team suggest to refer to it as a risky feature and not as critical vulnerability
Publish Date: 2022-05-16
URL: CVE-2022-29622
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-16
Fix Resolution: formidable - 3.2.4
The text was updated successfully, but these errors were encountered: