Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSP vulnerability for protobufjs <=6.8.5 #872

Closed
mboughaba opened this issue May 27, 2018 · 2 comments
Closed

NSP vulnerability for protobufjs <=6.8.5 #872

mboughaba opened this issue May 27, 2018 · 2 comments
Labels
api: firestore

Comments

@mboughaba
Copy link

[REQUIRED] Describe your environment

  • Firebase SDK version: 5.0.4
  • Firebase Product: firestore

[REQUIRED] Describe the problem

Steps to reproduce:

nsp check

I am referencing #813. It looks like this is still an issue.
protobufjs@5.0.3 seems vulnerable too.

λ nsp check --reporter table
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Denial of Service                                                  │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ protobufjs                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 5 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 5.0.3                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <=6.8.5                                                            │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ >=6.8.6                                                            │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ alita-web@0.1.2 > firebase@5.0.4 > @firebase/firestore@0.5.4 >     │
│            │ grpc@1.11.3 > protobufjs@5.0.3                                     │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/605                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

Cheers
@omar10594
Copy link

omar10594 commented May 28, 2018
edited

The fix was ported to 5.x.x version, 5.0.3 has the fix.
But nodesecurity still have outdated information on the status of this problem.
After update to 5.0.3 you can ignore the vulnerability until nodesecurity update their database.

see protobufjs/protobuf.js/pull/1030

@bdeo bdeo mentioned this issue May 30, 2018
Closed
@mboughaba
Copy link
Author

mboughaba commented May 30, 2018
edited

nsp database has been updated and indeed fix was ported to 5.0.3.

@firebase firebase locked and limited conversation to collaborators Oct 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: firestore
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mboughaba @omar10594 @google-oss-bot