[Snyk: Medium] package.json - Denial of Service (due 11/16/20) #4043
Comments
JonellaCulmer
modified the milestones:
Sprint 13.6,
PI 13 innovation and PI 14 planning
|
There is a live discussion in |
|
We've moved this to Blocked because there's no remediation for the affected package's dependency grandparent (if that's a thing. The package that requires the package that requires the affected package) and that package hasn't seen any development in over a year. The vulnerability is only Medium and isn't publicly exposed for us until a user logs in to the admin section. |
|
@rfultz @patphongs I moved this to blocked 13.8. Please let me know if it should be moved elsewhere. |
|
Because the vulnerability can't be exploited except for authenticated user, this is not a meaningful vulnerability. This is also no longer being flagged by Snyk. |
Denial of Service:
Vulnerable module: node-fetch
Introduced through: draft-js@0.10.5
Exploit maturity: No known exploit
Fixed in: 2.6.1, 3.0.0-beta.9
Detailed paths
Introduced through: fec-cms@1.0.0 › draft-js@0.10.5 › fbjs@0.8.17 › isomorphic-fetch@2.2.1 › node-fetch@1.7.3
Remediation: Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.
Overview
node-fetch is an A light-weight module that brings window.fetch to node.js
Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.
https://app.snyk.io/vuln/SNYK-JS-NODEFETCH-674311
Action items
Completion criteria:
The text was updated successfully, but these errors were encountered: