Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): ensure glob-parent is above 5.1.2 - CVE-2020-28469 #1916

Closed
petermetz opened this issue Mar 14, 2022 · 0 comments · Fixed by #1917
Closed

fix(deps): ensure glob-parent is above 5.1.2 - CVE-2020-28469 #1916

petermetz opened this issue Mar 14, 2022 · 0 comments · Fixed by #1917
Assignees
Labels
dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses
CWE-400
CVE ID
CVE-2020-28469
GHSA ID
GHSA-ww39-953v-wcq6

Dependabot cannot update glob-parent to a non-vulnerable version
The latest possible version that can be installed is 3.1.0 because of the following conflicting dependency:

cpy-cli@3.1.1 requires glob-parent@^3.1.0 via a transitive dependency on fast-glob@2.2.7
The earliest fixed version is 5.1.2.

Package
Affected versions
Patched version
glob-parent
(npm)
< 5.1.2
5.1.2
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

@petermetz petermetz added dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities labels Mar 14, 2022
@petermetz petermetz self-assigned this Mar 14, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Mar 14, 2022
1. Upgrade cpy-cli to 4.1.0
2. Force glob-parent to be on 5.1.2

TODO: The proper solution to 2) is to upgrade Angular to 13
so we do need to do that later when more time is available.

Fixes hyperledger-cacti#1916

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Mar 14, 2022
1. Upgrade cpy-cli to 4.1.0
2. Force glob-parent to be on 5.1.2

TODO: The proper solution to 2) is to upgrade Angular to 13
so we do need to do that later when more time is available.

Fixes hyperledger-cacti#1916

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit to petermetz/cacti that referenced this issue Mar 15, 2022
1. Upgrade cpy-cli to 4.1.0
2. Force glob-parent to be on 5.1.2

TODO: The proper solution to 2) is to upgrade Angular to 13
so we do need to do that later when more time is available.

Fixes hyperledger-cacti#1916

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Mar 15, 2022
1. Upgrade cpy-cli to 4.1.0
2. Force glob-parent to be on 5.1.2

TODO: The proper solution to 2) is to upgrade Angular to 13
so we do need to do that later when more time is available.

Fixes #1916

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant