Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High Severity Vulnerbility in Rekit-core #221

Open
nrydevopswatch opened this issue Mar 6, 2020 · 4 comments
Open

High Severity Vulnerbility in Rekit-core #221

nrydevopswatch opened this issue Mar 6, 2020 · 4 comments

Comments

@nrydevopswatch
Copy link

nrydevopswatch commented Mar 6, 2020

Hello,

Is there a workaround for this? It makes it unusable for our project as Rekit-Core currently includes "decompress" NPM package with a high severity vulnerability.

=== npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Write │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ decompress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rekit-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ rekit-core > download-git-repo > download > decompress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1217
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 2148395 scanned packages

@nrydevopswatch
Copy link
Author

Here is the output from a scan using Snyk:

Tested 1870 dependencies for known issues, found 19 issues, 21 vulnerable paths.

Issues with no direct upgrade or patch:
✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://snyk.io/vuln/SNYK-JS-DECOMPRESS-557358] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected]
No upgrade or patch available
✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://snyk.io/vuln/SNYK-JS-DECOMPRESSTAR-559095] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 2 other path(s)
No upgrade or patch available
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-DOTPROP-543489] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
This issue was fixed in versions: 5.1.1
✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535497] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-Bounds [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535498] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535502] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-bounds Read [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540956] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540958] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Uncontrolled Recursion [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540964] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ NULL Pointer Dereference [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540974] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540978] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540980] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540990] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540992] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540994] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-bounds Read [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540996] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-Bounds [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540998] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541000] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541002] in [email protected]
introduced by [email protected] > [email protected]
No upgrade or patch available

Organization: nrydevopswatch
Package manager: npm
Target file: package-lock.json
Project name: blackbird-scanner
Open source: no
Project path: /home/rbruscoe/dev/blackbird-scanner
Licenses: enabled

Run snyk wizard to address these issues.

@supnate
Copy link
Owner

supnate commented Mar 7, 2020

Hello, are you using rekit 2.x? For 3.x rekit-core is no longer a dependency of the projects.

@nrydevopswatch
Copy link
Author

I'm using Rekit 3.0.0 and I followed the instructions to build it on your README.md for a new project.

@nrydevopswatch
Copy link
Author

I just removed Rekit-Core 3.0.0 from the 'package.json'; deleted the 'package-lock.json' and the 'node_modules' folder. Then I did a fresh 'npm install' and tried to then do 'npm start' but it failed with several errors saying it could not find the 'rekit-core' dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants