[BUG] Dependency on vulnerable version of xml-encryption
#556
Comments
|
Ah good point, I did not realize that the caret was missing. That said, xml-encryption has not released an update on npm (1.2.2 was released one month ago). I opened an issue to them. |
|
It appears that v1.2.2 has been released on npm now. |
|
Yes but we need 1.2.3, which doesn't exist yet :( see auth0/node-xml-encryption#82 |
Author of the original xmldom advisory here. The vulnerability has nothing to do with XXE. The advisory on Snyk is wrong, I don't know where they got it from. The actual vulnerability does not affect xml-encryption. |
|
@jupenur thanks for the info regarding CVE-2021-21366 Can you provide a (link to?) more technical explanation? I see that Github is the Assigning CNA. Did github repplied to your false positive report? Thanks |
|
btw |
|
@christian-hawk the vulnerability itself is real and not a false positive, it's just that it doesn't affect all downstream applications in the same way. GitHub is only involved as the assigning party for the CVE, but there's nothing to correct on the CVE either. The information on the CVE (on the MITRE website, on NVD etc.) is accurate, as is the information on the original advisory here. But the information on Snyk is incorrect and not based on anything other than their own speculation as far as I can tell. In terms of technical details, currently I don't have anything to share beyond what's in the original advisory. |
This package has an exact dependency on
xml-encryption@1.2.1:passport-saml/package.json
Line 56 in 4d2b909
xml-encryption@1.2.1has a dependency onxmldom@~0.1.15, which has an XXE vulnerability that has been patched inxmldom@>=0.5.0: https://github.com/auth0/node-xml-encryption/blob/9b6df94b0ea30ff7ff836c5e3bf8b328c6a69175/package.json#L25This package should bump its dependency to
xml-encryption@1.2.3or higher.The text was updated successfully, but these errors were encountered: