CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz #1139

mend-for-github-com · 2022-01-12T20:50:25Z

CVE-2022-0144 - High Severity Vulnerability

Vulnerable Library - shelljs-0.6.1.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.6.1.tgz

Dependency Hierarchy:

sass-lint-1.13.1.tgz (Root Library)
- eslint-2.13.1.tgz
  - ❌ shelljs-0.6.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: shelljs/shelljs@d919d22

Release Date: 2022-01-11

Fix Resolution: shelljs - 0.8.5

The text was updated successfully, but these errors were encountered:

* Introduces standard scss rules from stylelint with only a few modifications. * `yarn lint` now runs `yarn lint:style` instead of `yarn lint:sass`. * Many of the files were updated with `yarn lint:style --fix`, but some of them had to be manually updated to adhere to the newly-introduced rules from the stylelint configuration. A major culprit was the `no-descending-specificity` rule. * Some of the automated fixes that changed function names (e.g. EUI functions like `lightOrDarkTheme`) had to be overridden because EUI doesn't adhere to all of the rules. We can address this after we fold in and replace `node-sass` with Dart Sass. Resolves opensearch-project#551 Resolves opensearch-project#1139 Resolves opensearch-project#1151 Resolves opensearch-project#1152 Resolves opensearch-project#1154 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Introduces standard scss rules from stylelint with only a few modifications. * `yarn lint` now runs `yarn lint:style` instead of `yarn lint:sass`. * Many of the files were updated with `yarn lint:style --fix`, but some of them had to be manually updated to adhere to the newly-introduced rules from the stylelint configuration. A major culprit was the `no-descending-specificity` rule. * Some of the automated fixes that changed function names (e.g. EUI functions like `lightOrDarkTheme`) had to be overridden because EUI doesn't adhere to all of the rules. We can address this after we fold in and replace `node-sass` with Dart Sass. * Includes a couple fixes such as fixing the class selector for `osdnSuggestionItem--value .osdSuggestionItem__text`. Resolves opensearch-project#551 Resolves opensearch-project#1139 Resolves opensearch-project#1151 Resolves opensearch-project#1152 Resolves opensearch-project#1154 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Introduces standard scss rules from stylelint with only a few modifications. * `yarn lint` now runs `yarn lint:style` instead of `yarn lint:sass`. * Many of the files were updated with `yarn lint:style --fix`, but some of them had to be manually updated with overrides to adhere to the newly-introduced rules from the stylelint configuration. * Includes a couple fixes such as fixing the class selector for `osdnSuggestionItem--value .osdSuggestionItem__text`. Resolves opensearch-project#551 Resolves opensearch-project#1139 Resolves opensearch-project#1151 Resolves opensearch-project#1152 Resolves opensearch-project#1154 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Replaces `sass-lint` with `stylelint` * Introduces standard scss rules from stylelint with only a few modifications. * `yarn lint` now runs `yarn lint:style` instead of `yarn lint:sass`. * Many of the files were updated with `yarn lint:style --fix`, but some of them had to be manually updated with overrides to adhere to the newly-introduced rules from the stylelint configuration. * Includes a couple fixes such as fixing the class selector for `osdnSuggestionItem--value .osdSuggestionItem__text`. Resolves #551 Resolves #1139 Resolves #1151 Resolves #1152 Resolves #1154 Signed-off-by: Tommy Markley <markleyt@amazon.com> * fix(Style): Fixes flex style Signed-off-by: Ashwin Pc <ashwinpc@amazon.com> * fix(lint): Fixes empty comment lint issue Signed-off-by: Ashwin Pc <ashwinpc@amazon.com> * chore: rebase and updates yarn.lock Signed-off-by: Ashwin Pc <ashwinpc@amazon.com> Co-authored-by: Tommy Markley <markleyt@amazon.com>

minutolc · 2022-05-10T08:25:25Z

this issue is closed but I still have this CVE detected in the 1.3.2 versions or 2.0.0-rc1 version of opensearch dashboard. Anyone can explain if this issue is really done or not ?

tmarkley · 2022-05-10T14:18:06Z

Hi @minutolc, as you can see by our labels, this CVE is fixed in v2.0.0, but not any other version. We cannot merge the fix in any 1.x branch because it is a breaking change.

minutolc · 2022-05-10T14:22:32Z

hi @tmarkley , thank you for your answer , this means that v2.0.0 label is not referring to 2.0.0-rc1 version but only 2.0.0 version ?

tmarkley · 2022-05-10T14:26:10Z

In this case, the fix was merged into our 2.0 branch at the time we released/tagged 2.0.0-rc1: https://github.com/opensearch-project/OpenSearch-Dashboards/tree/2.0.0-rc1.

The CVE is mitigated in 2.0.0-rc1.

minutolc · 2022-05-10T14:37:19Z

I still detect the CVE in the 2.0.0-rc1. Do you think there is any chance that the 2.0.0 correct entirely this CVE ?

tmarkley · 2022-05-10T16:20:03Z

Can you provide details about how you're detecting the CVE in 2.0.0-rc1?

minutolc · 2022-05-20T12:25:56Z

Scan of the docker image with anchore

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 12, 2022

tmarkley added cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE labels Jan 12, 2022

mend-for-github-com bot changed the title ~~CVE-2022-0144 (High) detected in shelljs-0.8.4.tgz~~ CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz, shelljs-0.8.4.tgz Jan 14, 2022

tmarkley mentioned this issue Feb 23, 2022

Replace sass-lint #551

Closed

tmarkley self-assigned this Feb 23, 2022

tmarkley mentioned this issue Feb 28, 2022

Replaces sass-lint with stylelint #1294

Closed

7 tasks

tmarkley mentioned this issue Mar 21, 2022

[Bug]: CVE items in opensearch dashboards #1358

Closed

ashwin-pc mentioned this issue Apr 1, 2022

Sass lint #1413

Merged

7 tasks

mend-for-github-com bot changed the title ~~CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz, shelljs-0.8.4.tgz~~ CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz Apr 1, 2022

ashwin-pc closed this as completed in #1413 Apr 1, 2022

tmarkley added the v2.0.0 label Apr 21, 2022

ZilongX mentioned this issue Oct 5, 2022

[Backport 1.x] Bumps shelljs to 0.8.5 to fix CVE-2022-0144 #2512

Closed

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz #1139

CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz #1139

mend-for-github-com bot commented Jan 12, 2022 •

edited

Loading

minutolc commented May 10, 2022

tmarkley commented May 10, 2022

minutolc commented May 10, 2022

tmarkley commented May 10, 2022

minutolc commented May 10, 2022

tmarkley commented May 10, 2022

minutolc commented May 20, 2022 •

edited

Loading

CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz #1139

CVE-2022-0144 (High) detected in shelljs-0.6.1.tgz #1139

Comments

mend-for-github-com bot commented Jan 12, 2022 • edited Loading

CVE-2022-0144 - High Severity Vulnerability

minutolc commented May 10, 2022

tmarkley commented May 10, 2022

minutolc commented May 10, 2022

tmarkley commented May 10, 2022

minutolc commented May 10, 2022

tmarkley commented May 10, 2022

minutolc commented May 20, 2022 • edited Loading

mend-for-github-com bot commented Jan 12, 2022 •

edited

Loading

minutolc commented May 20, 2022 •

edited

Loading