-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
361 additions
and
289 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,23 +1,29 @@ | ||
| { | ||
| "low": true, | ||
| "_allowlistInfo": [ | ||
| "_allowListExample": [ | ||
| { | ||
| "advisory": "GHSA-p8p7-x288-28g6", | ||
| "details": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)", | ||
| "justification1": "Request package is deprecated and unlikely to receive updates.", | ||
| "justification2": "Application unaffected as it only uses request by way of kubernetes/client-node, which talks to kubernetes, which can be asserted as not an attacker-controlled server.", | ||
| "expiry": "31 July 2023 00:00" | ||
| "GHSA-1234-5678-9012": { | ||
| "active": true, | ||
| "notes": "The package X has vuln Y that is ignored because Y", | ||
| "expiry": "2077-04-01" | ||
| } | ||
| }, | ||
| { | ||
| "advisory": "GHSA-72xf-g2v4-qvf3", | ||
| "details": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", | ||
| "justification1": "Package used by request, which is also exempted. Explicitly freezeing Object to guarantee attack vector is inaccessible.", | ||
| "expiry": "31 July 2023 00:00" | ||
| } | ||
| ], | ||
| "allowlist": [ | ||
| "GHSA-p8p7-x288-28g6", | ||
| "GHSA-72xf-g2v4-qvf3" | ||
| ], | ||
| { | ||
| "GHSA-p8p7-x288-28g6": { | ||
| "active": true, | ||
| "notes": "The Request package through 2.88.2 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP)", | ||
| "expiry": "2023-10-01" | ||
| } | ||
| }, | ||
| { | ||
| "GHSA-72xf-g2v4-qvf3": { | ||
| "active": true, | ||
| "notes": "The Request package (see above) requires tough-cookie at a vulnerable version.", | ||
| "expiry": "2023-10-01" | ||
| } | ||
| } ], | ||
| "skip-dev": true | ||
| } | ||
|
|
Oops, something went wrong.