Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37434 (zlib) found on v18.x #51

Closed
github-actions bot opened this issue Aug 12, 2022 · 5 comments
Closed

CVE-2022-37434 (zlib) found on v18.x #51

github-actions bot opened this issue Aug 12, 2022 · 5 comments

Comments

@github-actions
Copy link

Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/2843675337
Vulnerability ID: CVE-2022-37434

Full output:

WARNING: New vulnerabilities found
- zlib (version 1.2.11) :
	- CVE-2022-37434: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
- undici (version 5.8.0) :
	- CVE-2022-31151: https://nvd.nist.gov/vuln/detail/CVE-2022-31151
	- CVE-2022-31150: https://nvd.nist.gov/vuln/detail/CVE-2022-31150
	- CVE-2022-32210: https://nvd.nist.gov/vuln/detail/CVE-2022-32210

For each dependency and vulnerability, check the following:
- Check that the dependency's version printed by the script corresponds to the version present in the Node repo.
If not, update dependencies.py with the actual version number and run the script again.
- If the version is correct, check the vulnerability's description to see if it applies to the dependency as
used by Node. If not, the vulnerability ID (either a CVE or a GHSA) can be added to the ignore list in
dependencies.py. IMPORTANT: Only do this if certain that the vulnerability found is a false positive.
- Otherwise, the vulnerability found must be remediated by updating the dependency in the Node repo to a
non-affected version, followed by updating dependencies.py with the new version.
@mcollina
Copy link
Member

Node.js is not vulnerable to those undici issues.

@facutuesca
Copy link
Contributor

Node.js is not vulnerable to those undici issues.

@mcollina @mhdawson
This issue actually corresponds to the zlib vulnerability (CVE-2022-37434). The Full output section contains all the CVEs found on a specific CI run, and there is an issue created for each (confusing, I know, we'll change it so that in the future only the relevant CVE is included)

@mhdawson
Copy link
Member

@facutuesca thanks, my mistake on that one, removed label.

@mhdawson
Copy link
Member

See discussion in #50, this does not affect Node.js

@Neustradamus
Copy link

To follow this ticket.

@RafaelGSS RafaelGSS changed the title New vulnerability CVE-2022-37434 found on v18.x CVE-2022-37434 (zlib) found on v18.x Oct 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants