Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-3728: Moderate Security Vulnerability in hoek #11

Closed
adunkman opened this issue May 1, 2018 · 3 comments · Fixed by #12
Closed

CVE-2018-3728: Moderate Security Vulnerability in hoek #11

adunkman opened this issue May 1, 2018 · 3 comments · Fixed by #12

Comments

@adunkman
Copy link
Owner

adunkman commented May 1, 2018

CVE-2018-3728:

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
@adunkman adunkman mentioned this issue May 1, 2018
Merged
@adunkman
Copy link
Owner Author

adunkman commented May 1, 2018

#12 didn’t actually fix this — there seems to be some package which needs to be updated first. I wasn’t immediately able to find the culprit.

@adunkman adunkman reopened this May 1, 2018
@adunkman
Copy link
Owner Author

adunkman commented May 10, 2018
edited

This is waiting on a new version of node-sass (sass/node-sass#2355) — the maintainer is on vacation. Since we only load node-sass during our build step, this is not critical to update.

@adunkman
Copy link
Owner Author

Fixed in #38.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade dependencies to fix CVE-2018-3728. adunkman/dc311rn.com
1 participant
@adunkman