Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk: Med] Information Exposure (Due: 07/29/24) #6307

Closed
1 task
tmpayton opened this issue May 29, 2024 · 1 comment
Closed
1 task

[Snyk: Med] Information Exposure (Due: 07/29/24) #6307

tmpayton opened this issue May 29, 2024 · 1 comment
Assignees
Labels
Security: moderate Remediate within 60 days
Milestone

Comments

@tmpayton
Copy link
Contributor

tmpayton commented May 29, 2024

Affecting node-fetch package, versions <2.6.7 >=3.0.0 <3.1.1

How to fix?
Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

Upgrade [email protected] to [email protected] to fix

Overview
node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Completion Criteria

  • Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.
@tmpayton tmpayton added the Security: moderate Remediate within 60 days label May 29, 2024
@tmpayton tmpayton added this to the 25.4 milestone May 29, 2024
@tmpayton tmpayton changed the title [Snyk: Med] Information Exposure (Due: 07/29/24 [Snyk: Med] Information Exposure (Due: 07/29/24) May 29, 2024
@pkfec pkfec moved this to 🗄️ PI backlog in Website project Jun 12, 2024
@cnlucas cnlucas self-assigned this Jun 26, 2024
@cnlucas
Copy link
Member

cnlucas commented Jun 27, 2024

Context:
springload/draftail#456
springload/draftail#454
springload/draftail#138
springload/draftail#213
Draftail is not ready to upgrade to 0.11. Maintainers' comment states that the security concerns from fbjs, a large polyfill and utility library don’t end up being used in Draft.js / Draftail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Security: moderate Remediate within 60 days
Projects
Status: ✅ Done
Development

Successfully merging a pull request may close this issue.

2 participants