Skip to content

Security issue with v8.6.1 #1903

New issue
New issue
Open
Open
Security issue with v8.6.1#1903
@corinnaSchultz

Description

@corinnaSchultz
corinnaSchultz
opened on Apr 26, 2022

Snyk flagged this as a security vulnerability:
restify@8.6.1 › bunyan@1.8.14 › moment@2.29.1
restify-plugins@1.6.0 › bunyan@1.8.14 › moment@2.29.1

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://cwe.mitre.org/data/definitions/22.html

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24785

Activity

kolbma

kolbma commented on May 23, 2022

@kolbma
kolbma
on May 23, 2022

Where is the attack vector?

corinnaSchultz

corinnaSchultz commented on May 23, 2022

@corinnaSchultz
corinnaSchultz
on May 23, 2022
Author

Sorry, all I know is what Snyk says, and just wanted to let people here know, just in case.

pinko-fowle

pinko-fowle commented on Sep 23, 2022

@pinko-fowle
pinko-fowle
on Sep 23, 2022 · edited by pinko-fowle

Where is the attack vector?

We are indeed turning down our security monitoring across a wide range of projects, owing to Bunyan, which we hope indeed is not actually a clear vector in.

Our security monitoring is giving us two other alerts that we are for now muting:

  • restify-8.6.1 -> bunyan-1.8.15 -> mv-2.1.1 -> mkdirp-0.5.1 -> minimist-0.0.8 cve-2021-44906
  • restify-8.6.1 -> http-signature-1.2.0 -> jsprim-1.4.1 -> json-schema-0.2.3 cve-2021-3918

In general, it feels like it'd be super nice & everyone could sleep better if we could move from a conservative stance ("Where is the attack vector?" which we all have to re-convince ourselves on in isolation) to a "Let's upgrade it if we can" (so no teams have to think about each vulnerability) mentality. At least when there are upgrades available, just doing the work would be great. I'll try to help get the ball rolling some & submit some PRs.

Good news: bunyan is at the root of 3/4 issues here, and is replaced by pino in #1841. #1889 upgraded http-signatures to 1.3.6 which is not vulnerable. We just need a release: #1844. 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @kolbma@corinnaSchultz@pinko-fowle

        Issue actions
          Security issue with v8.6.1 · Issue #1903 · restify/node-restify