-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with IQ Server vulnerability : sonatype-2020-0067 #55
Comments
Bumping this as it is still an issue my team is facing. |
i am having this issue as of today as well. sonatype-2020-0067: Root Cause Advisories |
I'm n'ot sure if I'm reading this right but the |
Regardless of anything, you probably aren't using static-module on untrusted input, so even if it's flagging code that is actually running it's still a false positive that you can ignore and that sonatype should stop reporting. If you are using static-module (or likely brfs) on untrusted input you have bigger problems than this, because there are intentional arbitrary code execution "vulnerabilities" that are essential to the functioning of this package. It is simply not intended to be used that way. It should only be used at build time on your own (i.e. trusted) code. |
Hi,
Here is my problem.
I want to install "compodoc" in an internal angular project but one dependencies is blocked by Iq server for this reason :
Sonatype-2020-0067 :
EXPLANATION
The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition.
ROOT CAUSE
static-module-3.0.4.tgzpackage/dist/acorn.js[5.5.0, 5.7.4)
ADVISORIES
Third Party:https://www.npmjs.com/advisories/1488
Is there a solution to fix it in futur version of "static module" ?
Best regards
The text was updated successfully, but these errors were encountered: