Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-23490 (High) detected in parse-link-header #1111

Closed
tmarkley opened this issue Jan 7, 2022 · 2 comments
Closed

CVE-2021-23490 (High) detected in parse-link-header #1111

tmarkley opened this issue Jan 7, 2022 · 2 comments

Comments

@tmarkley
Copy link
Contributor

tmarkley commented Jan 7, 2022

GHSA-q674-xm3x-2926 - High Severity Vulnerability

Vulnerable Library - parse-link-header@1.0.1

Parses a link header and returns paging information for each contained link.

Library home page: https://www.npmjs.com/package/parse-link-header

Dependency Hierarchy:

  • @osd/test@1.0.0 (Root Library)
    • parse-link-header@1.0.1 (Vulnerable Library)
$ npm ls parse-link-header
opensearch-dashboards@2.0.0 /home/ubuntu/ws/OpenSearch-Dashboards
└─┬ @osd/test@1.0.0 -> /home/ubuntu/ws/OpenSearch-Dashboards/packages/osd-test
  └── parse-link-header@1.0.1 

$ yarn why parse-link-header
yarn why v1.22.17
[1/4] Why do we have the module "parse-link-header"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.4.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "parse-link-header@1.0.1"
info Reasons this module exists
   - "_project_#@osd#test" depends on it
   - Hoisted from "_project_#@osd#test#parse-link-header"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "72KB"
info Number of shared dependencies: 1
Done in 1.85s.

Found in base branch: main

Vulnerability Details

The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.

Publish Date: 2021-12-24

URL: CVE-2021-23490

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: thlorenz/parse-link-header#25

Release Date: 2022-01-06

Fix Resolution: parse-link-header - 2.0.0
@tmarkley tmarkley added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 7, 2022
@tmarkley
Copy link
Contributor Author

Duplicate of #1069

@tmarkley tmarkley marked this as a duplicate of #1069 Jan 14, 2022
@tmarkley tmarkley removed high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 14, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@rshen91
feat(a11y): allow user to pass custom description for screen readers (o…
a0020ba 
…pensearch-project#1111)

Fixes #1097
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@semantic-release-bot
chore(release): 28.2.0 [skip ci]
ac1d806 
# [28.2.0](elastic/elastic-charts@v28.1.0...v28.2.0) (2021-04-15)

### Bug Fixes

* **xy:** consider `useDefaultGroupDomain` on scale config ([opensearch-project#1119](elastic/elastic-charts#1119)) ([269ff1a](elastic/elastic-charts@269ff1a)), closes [opensearch-project#1087](elastic/elastic-charts#1087)

### Features

* **a11y:** allow user to pass custom description for screen readers ([opensearch-project#1111](elastic/elastic-charts#1111)) ([a0020ba](elastic/elastic-charts@a0020ba)), closes [#1097](elastic/elastic-charts#1097)
* **partition:** add debuggable state ([opensearch-project#1117](elastic/elastic-charts#1117)) ([08f8baf](elastic/elastic-charts@08f8baf)), closes [opensearch-project#917](elastic/elastic-charts#917)
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
@ananzh
[CVE-2021-23490][1.x]Bump parse-link-header from 1.0.1 to 2.0.0
90d10fe 
Issue Resolve
opensearch-project#1111

Backport PR
opensearch-project#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
@ananzh
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0
b938a28 
Issue Resolve
opensearch-project#1111

Backport PR
opensearch-project#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh mentioned this issue Mar 30, 2023
Merged
8 tasks
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023
@ananzh
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0
11f76ad 
Issue Resolve
opensearch-project#1111

Backport PR
opensearch-project#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
joshuarrrr added a commit that referenced this issue Apr 11, 2023
@ananzh @joshuarrrr
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 (#3738)
6af2ae2 
Issue Resolve
#1111

Backport PR
#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this issue Apr 11, 2023
@github-actions
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 (#3738)
5229f49 
Issue Resolve
#1111

Backport PR
#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 6af2ae2)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
abbyhu2000 pushed a commit that referenced this issue Apr 11, 2023
@opensearch-trigger-bot @github-actions
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 (#3738
27648d1 
…) (#3820)

Issue Resolve
#1111

Backport PR
#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 6af2ae2)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tmarkley and others