CVE-2022-37599 - security vulnerability across all loader-utils #214
Comments
|
Please update to v3, v2 is deprecated, check your deps using |
|
3.2.0 is the version being used. |
|
Can you provide message output from npm/yarn/etc? |
|
npm verb stack Error: 403 -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> <NEXUS_IQ>/ui/links/repositories/quarantinedComponent/YmZlYzg1Mzg0ZTYyNDk0MGEzZjUyZjllOTE4NmM1NDk <<<------ - GET <NEXUS_URL>/npm-group/loader-utils/-/loader-utils-3.2.0.tgz |
|
CVE-2022-37599 Explanation Version Affected |
|
Please run |
|
``+-- @angular-devkit/[email protected] We override loader-utils with the latest which is 3.2.0. it still has this CVE |
|
As you can see you still use
It is not safe Also I can't get ability to see |
|
https://nvd.nist.gov/vuln/detail/CVE-2022-37599 is a public link to the finding, though it to be void of any useful information unfortunately 😞 |
|
@wrslatz yeah, we need example how to reproduce it, because I can't undestand there is the problem |
|
If somebody have any infromation feel free to send a PR with fix, I will glad to review |
|
I get a warning for [email protected] as well from Sonatype iq server. But the security vulnerabilities it mentions in the description, is regarding to version 2.0.0:
(parseQuery doesn't exist in 3.2.0, so this is weird indeed!) So there must be some fault in the systems reporting security issues. So for everyone coming here after investigating security audit reports: The three vulnerabilities mentioned about loader-utils 3.0.2 are most likely false positives due to an error in the robots reporting about security issues... |
|
I think so, because I can't find any related information about this |
No description provided.
The text was updated successfully, but these errors were encountered: