[GHSA-6h5x-7c5m-7cr7] Exposure of Sensitive Information in eventsource

[DaleGardner]

Updates

• Affected products
• References

[DaleGardner]

I confirmed with multiple security scans across multiple projects that v1.1.1 was still vulnerable.

I created a PR to remove v1.1.1 as a "patched" version, here: #366

However, that PR was incorrectly closed after a cursory review.

I then posted about the vulnerability on eventsource repo and a maintainer responded and then created a new version (v1.1.2) to fix the vulnerability. That PR is here: EventSource/eventsource#281

Following along that path, this PR now updates to indicate v1.1.2 as a patched version, and versions beneath that as affected.

Please do not close this PR. It should be reviewed and merged to update the advisory correctly.

[darakian]

Hey @DaleGardner, please re-read this comment EventSource/eventsource#273 (comment)

As my colleague has already made clear here this GHSA applies only to the lack of header removal. Please make a request to the eventsource project maintainers for a new GHSA and we would be happy to include that in our database should they make one.

[DaleGardner]

Hey @DaleGardner, please re-read this comment EventSource/eventsource#273 (comment)

As my colleague has already made clear here this GHSA applies only to the lack of header removal. Please make a request to the eventsource project maintainers for a new GHSA and we would be happy to include that in our database should they make one.

@darakian My apologies. I guess the coincidence of having two security issues fixed in the same version (2.0.2) of the same repo at the same time got me confused when someone else was claiming they were resolved in 1.1.1 based on the advisory, when apparently only one of the two was backported to 1.1.1 at that time, and now 1.1.2 corrects the other, ugh.

I'll close this