Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssri 6.0.1 vulnerability #3064

Closed
networkandcode opened this issue Apr 12, 2021 · 3 comments
Closed

ssri 6.0.1 vulnerability #3064

networkandcode opened this issue Apr 12, 2021 · 3 comments

Comments

@networkandcode
Copy link

Hi, Prisma cloud scan for our docker container which has node 12 and npm 6.14.12 detected a vulnerability for the ssri 6.0.1 package. Any solution for this please.

Description of the vulnerability and fix below:
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Steps in Dockerfile we used to install node12 and npm:

RUN curl -sL https://deb.nodesource.com/setup_12.x | bash 
RUN apt install -y nodejs

# Upgrade npm to 6.14.12
RUN npm install npm@6 -g
@nlf
Copy link
Contributor

nlf commented Apr 12, 2021

we've already published ssri@6.0.2 that resolves this vulnerability and npm@6.14.12 that includes this update. advisory databases are still being updated to reflect the fix.

@nlf nlf closed this as completed Apr 12, 2021
@networkandcode
Copy link
Author

@nlf not sure why the scan still shows ssri@6.0.1 even after updating npm to 6.14.12

@dywilson-firstam
Copy link

dywilson-firstam commented Apr 15, 2021

@networkandcode, fyi the upgrade to ssri@6.0.2 was done in npm 6.14.13.

@nlf, am I to assume the upgrade to hosted-git-info@2.8.9 also in npm 6.14.13 was to resolve CVE-2021-23362?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants