Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okta-signin-widget reports CVE-2023-29827 when scanned #3373

Open
riskpeep opened this issue Sep 18, 2023 · 2 comments
Open

okta-signin-widget reports CVE-2023-29827 when scanned #3373

riskpeep opened this issue Sep 18, 2023 · 2 comments
Labels
bug

Comments

@riskpeep
Copy link

Describe the bug

okta-signin-widget reports CVE-2023-29827 because package.json includes the 'ejs' template library.

CVE-2023-29827 - NVD - CVE-2023-29827 1.

The Okta developer's forum reports that this is because okta-signin-widget includes ejs, however ejs is not used in the component. (https://devforum.okta.com/t/okta-signin-widget-and-cve-2023-29827/25160)

Remove ejs from package.json

Reproduction Steps

Checkout okta-signin-widget to a local directory.
Scan with a vulnerability scanner that checks included dependencies (we used Blackduck, but others (e.g. snyk) should also work)

SDK Versions

System:
OS: Linux 5.15 Ubuntu 22.04.3 LTS 22.04.3 LTS (Jammy Jellyfish)
CPU: (4) x64 11th Gen Intel(R) Core(TM) i9-11950H @ 2.60GHz
Memory: 10.76 GB / 11.69 GB
Container: Yes
Shell: 5.1.16 - /bin/bash
Binaries:
Node: 18.17.1 - /usr/local/bin/node
Yarn: 1.22.19 - /usr/bin/yarn
npm: 9.6.7 - /usr/local/bin/npm

Additional Information

No response
@riskpeep riskpeep added the bug label Sep 18, 2023
@jaredperreault-okta
Copy link
Contributor

ejs has been removed from our dependency list
https://github.com/okta/okta-signin-widget/pull/3357/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L244

It is still pull into our repo via @wdio/cli however. This a dev dependency (for testing only) and is not included in any bundles

jared:widget$ yarn why ejs
yarn why v1.22.19
[1/4] 🤔  Why do we have the module "ejs"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "@okta/e2e#ejs@3.1.9"
info Reasons this module exists
   - "_project_#@okta#e2e#@wdio#cli" depends on it
   - Hoisted from "_project_#@okta#e2e#@wdio#cli#ejs"
   - in the nohoist list ["/_project_/**/@wdio/**","/_project_/**/@types/ajv-errors","/_project_/**/@types/ajv-errors/**","/_project_/**/@types/eslint-scope","/_project_/**/eslint-scope","/_project_/**/@okta/okta-auth-js"]
info Disk size without dependencies: "180KB"
info Disk size with unique dependencies: "180KB"
info Disk size with transitive dependencies: "180KB"
info Number of shared dependencies: 0
✨  Done in 1.15s.

@riskpeep
Copy link
Author

Oh, excellent, I missed that. Any idea when this will make its way to a release?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@riskpeep @jaredperreault-okta