Further security issue #1563
Comments
- context.propertyIsEnumerable can be replaced via __definedGetter__ - This is a fix specific to counter a known RCE exploit. Other fixes will follow. closes #1563
|
Is this fixed by 4.3.3? |
|
All proofs-of-concept that I have received so far are not working anymore with 4.3.3 I am still trying to work out if there are any ways circumvent my fixes. I cannot say for certain that everything is fixed. |
|
I have reported the fix of this issue to npm only yesterday. It may take them until next week to update the audit-database. |
|
Ah @nknapp , just came across this.. would you be able to confirm if there was a fix for CVE-2019-19919 made and if so in what commit/version release? Thanks in advance ! |
|
The npm advisory that is references in the CVE was resolved in 4.3.0. There were variations that were possible until 4.5.3. 4.6.0 now provides a more complete solution. I think the npm-security advisories give a more complete picture than CVEs. |
Thanks for the quick response, Also, would you be able to kindly point out the commit fixing the issue in 4.6.0? :) |
Disallows calls to the helperMissing-helpers (#1558) didn't solve all the problem and another exploit was reported.
The exploit will be released well after the fix is in place to give people a chance to update.
Before filing issues, please check the following points first:
This will probably help you to get a solution faster.
For bugs, it would be great to have a PR with a failing test-case.
The text was updated successfully, but these errors were encountered: