Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Med] Information Exposure (Due: 07/29/24) #6307

Closed
1 task
tmpayton opened this issue May 29, 2024 · 1 comment
Closed
1 task

[Snyk: Med] Information Exposure (Due: 07/29/24) #6307

tmpayton opened this issue May 29, 2024 · 1 comment
Assignees
@cnlucas
Labels
Security: moderate Remediate within 60 days
Milestone
25.4

Comments

@tmpayton
Copy link
Contributor

tmpayton commented May 29, 2024
edited by cnlucas
Loading

Affecting node-fetch package, versions <2.6.7 >=3.0.0 <3.1.1

How to fix?
Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

Upgrade [email protected] to [email protected] to fix

Overview
node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Completion Criteria

  • Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.
@tmpayton tmpayton added the Security: moderate Remediate within 60 days label May 29, 2024
@tmpayton tmpayton added this to the 25.4 milestone May 29, 2024
@tmpayton tmpayton changed the title [Snyk: Med] Information Exposure (Due: 07/29/24 [Snyk: Med] Information Exposure (Due: 07/29/24) May 29, 2024
This was referenced May 29, 2024
Closed
Closed
@pkfec pkfec mentioned this issue Jun 12, 2024
Closed
2 tasks
@pkfec pkfec mentioned this issue Jun 20, 2024
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Jun 26, 2024
Closed
2 tasks
@cnlucas cnlucas self-assigned this Jun 26, 2024
@cnlucas cnlucas mentioned this issue Jun 26, 2024
Closed
@cnlucas
Copy link
Member

cnlucas commented Jun 27, 2024

Context:
springload/draftail#456
springload/draftail#454
springload/draftail#138
springload/draftail#213
Draftail is not ready to upgrade to 0.11. Maintainers' comment states that the security concerns from fbjs, a large polyfill and utility library don’t end up being used in Draft.js / Draftail.

@cnlucas cnlucas closed this as completed Jun 27, 2024
@tmpayton tmpayton mentioned this issue Jun 27, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: moderate Remediate within 60 days
Projects
Website project
Status: ✅ Done
Milestone
25.4
Development

Successfully merging a pull request may close this issue.

6307-pin draft-js fecgov/fec-cms
2 participants
@cnlucas @tmpayton