Vulnerabilities introduced by package node-forge and @firebase/util #1392
Comments
|
I found a few problems with this issue:
|
|
Thanks for bug report @paimon0715. We don't usually release patches for previous major versions, and our release processes are not even set up for that type of maintenance work (e.g. we don't have a v8 branch to perform further development on). I'll chat with the team and see if we can make an exception in this one instance. |
|
@hiranya911 Thank you very much for your help.
|
|
Hi @paimon0715. I discussed this with the rest of our team, and the consensus was that the risk of breaking something with a new point release is not worth the potential benefits. Therefore we are not going to do another v8 point release at this stage. As for the security issues, I don't think either of the mentioned vulnerabilities actually affect the Admin SDK. We do not call the vulnerable functions mentioned in the CVEs ( I would also recommend reporting an issue (or even submit a PR) at https://github.com/jloosli/node-firestore-import-export to see if we can get them to upgrade, since this seems to be what's pulling the old Admin SDK version into developer's projects in most cases. |
Hi ,@hiranya911, @lahirumaramba , there are two vulnerabilities introduced in your package:
Issue Description
Vulnerabilities CVE-2020-7720 detected in package node-forge<0.10.0 and CVE-2020-7765 detected in package @firebase/util<0.3.4 are referenced by firebase-admin@8.13.0. We noticed that the vulnerabilities has been removed since firebase-admin@9.2.0.
However, firebase-admin's popular previous version firebase-admin@8.13.0 (78,863 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 498 downstream projects, e.g., @paperbits/firebase 0.1.429, dblibrary 1.338.0, @endran/firebridge 2.0.0, firestore-to-bigquery-export 1.7.2, @meditect/geofirestore-clustering-js 1.0.8, multi-db-orm@1.0.8, node-paytmpg@2.0.4, etc.).
As such, issue CVE-2020-7720 and CVE-2020-7765 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade firebase-admin from version 8.13.0 to (>=9.2.0) For instance, firebase-admin@8.13.0 is introduced into the above projects via the following package dependency paths:
(1)
multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ node-forge@0.7.6(2)
node-paytmpg@2.0.4 ➔ multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ node-forge@0.7.6(3)
multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ @firebase/database@0.6.13 ➔ @firebase/component@0.1.19 ➔ @firebase/util@0.3.2......
The projects such as node-firestore-import-export, which introduced firebase-admin@8.13.0, are not maintained anymore. These unmaintained packages can neither upgrade firebase-admin nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package firebase-admin@8.13.0?
Suggested Solution
Since these unactive projects set a version constaint 8.13.0 for firebase-admin on the above vulnerable dependency paths, if firebase-admin removes the vulnerability from 8.13.0 and releases a new patched version firebase-admin@8.13.1, such a vulnerability patch can be automatically propagated into the 498 affected downstream projects.
In firebase-admin@8.13.1, you can kindly try to perform the following upgrade:
(1)
node-forge ^0.7.6 ➔ ^0.10.0;(2)
@firebase/database ^0.6.0 ➔ ^0.7.1;Note:
node-forge@0.10.0(>=0.10.0) has fixed the vulnerability (CVE-2020-7720);
@firebase/database@0.7.1(>=0.7.1) transitively depends on @firebase/util@0.3.4(a vulnerability CVE-2020-7765 patched version)
Thanks again for your contributions.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: