-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz #1084
Comments
|
|
# [26.1.0](elastic/elastic-charts@v26.0.0...v26.1.0) (2021-03-26) ### Features * **a11y:** add basic aria-label to canvas element ([opensearch-project#1084](elastic/elastic-charts#1084)) ([d4b3e4f](elastic/elastic-charts@d4b3e4f)) * **xy_charts:** render legend inside the chart ([opensearch-project#1031](elastic/elastic-charts#1031)) ([b271d09](elastic/elastic-charts@b271d09)), closes [opensearch-project#861](elastic/elastic-charts#861)
* Addresses known Inefficient Regular Expression Complexity CVE in `ansi-regex` < 5.0.1: CVE-2021-3807 * `webpack-dev-server` has a downstream dependency on `ansi-regex` v6.0.1 but it's still compatible with v5.0.1. Resolves opensearch-project#1084 Signed-off-by: Tengda He <tengh@amazon.com>
* Addresses known Inefficient Regular Expression Complexity CVE in `ansi-regex` < 5.0.1: CVE-2021-3807 * `webpack-dev-server` has a downstream dependency on `ansi-regex` v6.0.1 but it's still compatible with v5.0.1. Resolves opensearch-project#1084 Signed-off-by: Tengda He <tengh@amazon.com>
* Addresses known Inefficient Regular Expression Complexity CVE in `ansi-regex` < 5.0.1: CVE-2021-3807 * `webpack-dev-server` has a downstream dependency on `ansi-regex` v6.0.1 but it's still compatible with v5.0.1. Resolves #1084 Signed-off-by: Tengda He <tengh@amazon.com>
* Addresses known Inefficient Regular Expression Complexity CVE in `ansi-regex` < 5.0.1: CVE-2021-3807 * `webpack-dev-server` has a downstream dependency on `ansi-regex` v6.0.1 but it's still compatible with v5.0.1. Resolves #1084 Signed-off-by: Tengda He <tengh@amazon.com>
this issue is closed but I still have this CVE detected in the 1.3.2 versions or 2.0.0-rc1 version of opensearch dashboard. Anyone can explain if this issue is really done or not ? |
Hi @minutolc, yes this CVE is addressed in 2.0: OpenSearch-Dashboards/package.json Line 78 in 5c00c1e
It's not fixed in 1.3.2 because the fix involves a breaking change. |
Is it normal that i detect it also in 2.0.0-rc1 ? or it would be correct only in 2.0.0 ? |
The CVE is mitigated in 2.0.0-rc1 as well, so no that's not normal. Can you provide details about how you're detecting the CVE? |
I use Anchore in order to detect CVE : result from Anchore stop : vulnerabilities / package / HIGH Vulnerability found in non-os package type (npm) - /usr/share/opensearch-dashboards/plugins/notificationsDashboards/node_modules/wrap-ansi/node_modules/ansi-regex/package.json (CVE-2021-3807 - https://nvd.nist.gov/vuln/detail/CVE-2021-3807) |
CVE-2021-3807 - High Severity Vulnerability
Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz
ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (has-ansi): 5.0.0
The text was updated successfully, but these errors were encountered: