Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23807 (Medium) detected in jsonpointer #1107

Closed
tmarkley opened this issue Jan 6, 2022 · 1 comment
Closed

CVE-2021-23807 (Medium) detected in jsonpointer #1107

tmarkley opened this issue Jan 6, 2022 · 1 comment

Comments

@tmarkley
Copy link
Contributor

tmarkley commented Jan 6, 2022
edited

GHSA-282f-qqgm-c34q - Medium Severity Vulnerability

Vulnerable Library - jsonpointer@4.1.0

This is an implementation of [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901).

Library home page: https://www.npmjs.com/package/jsonpointer

Dependency Hierarchy:

  • sass-lint@1.12.1 (Root Library)
    • eslint@2.13.1
      • is-my-json-valid@2.20.5
        • jsonpointer@4.1.0 (Vulnerable Library)
$ npm ls jsonpointer
opensearch-dashboards@2.0.0 /home/ubuntu/ws/OpenSearch-Dashboards
└─┬ sass-lint@1.12.1
  └─┬ eslint@2.13.1
    └─┬ is-my-json-valid@2.20.5
      └── jsonpointer@4.1.0

$ yarn why jsonpointer
yarn why v1.22.17
[1/4] Why do we have the module "jsonpointer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.4.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "jsonpointer@4.1.0"
info Reasons this module exists
   - "_project_#sass-lint#eslint#is-my-json-valid" depends on it
   - Hoisted from "_project_#sass-lint#eslint#is-my-json-valid#jsonpointer"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
Done in 1.83s.

Found in base branch: main

Vulnerability Details

This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.

Publish Date: 2021-11-08

URL: CVE-2021-23807

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: janl/node-jsonpointer#51

Release Date: 2021-11-08

Fix Resolution: jsonpointer - 5.0.0
@tmarkley tmarkley added medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 6, 2022
@tmarkley
Copy link
Contributor Author

Duplicate of #1152

@tmarkley tmarkley marked this as a duplicate of #1152 Jan 14, 2022
@tmarkley tmarkley removed medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 14, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@rshen91
feat(a11y): add alt text for all chart types (opensearch-project#1118)
e1c7489 
Fixes opensearch-project#1107
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@semantic-release-bot
chore(release): 29.2.0 [skip ci]
ccd72c3 
# [29.2.0](elastic/elastic-charts@v29.1.0...v29.2.0) (2021-05-25)

### Bug Fixes

* **legend:** disable handleLabelClick for one legend item ([opensearch-project#1134](elastic/elastic-charts#1134)) ([e485174](elastic/elastic-charts@e485174)), closes [opensearch-project#1055](elastic/elastic-charts#1055)

### Features

* **a11y:** add alt text for all chart types  ([opensearch-project#1118](elastic/elastic-charts#1118)) ([e1c7489](elastic/elastic-charts@e1c7489)), closes [opensearch-project#1107](elastic/elastic-charts#1107)
* **legend:** specify number of columns on floating legend ([opensearch-project#1159](elastic/elastic-charts#1159)) ([ed3736e](elastic/elastic-charts@ed3736e)), closes [opensearch-project#1158](elastic/elastic-charts#1158)
* simple screenspace constraint solver ([opensearch-project#1141](elastic/elastic-charts#1141)) ([af9dd96](elastic/elastic-charts@af9dd96))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tmarkley