Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Component Governance Alert][GradleV2,3] Fix CVE-2022-24999 #18335

Merged
merged 6 commits into from
May 29, 2023
Merged

[Component Governance Alert][GradleV2,3] Fix CVE-2022-24999 #18335

merged 6 commits into from
May 29, 2023

Conversation

vmapetr
Copy link
Contributor

@vmapetr vmapetr commented May 22, 2023
edited
Loading

Task name:

  • GradleV2
  • GradleV3

Description:
This PR fixes CVE-2022-24999 in the qs package by removing the vulnerable Request dependency and updating codeanalysis-common package.

The Request package is deleted because it is a loose dependency. According to request/request#3142 it was deprecated and got no security updates since 2020.

The codeanalysis-common package is updated to the recent version that doesn't use the vulnerable request package.

Vulnerability Description:
qs before 6.10.3 allows attackers to cause a Node process to hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Documentation changes required: N

Added unit tests: N

Checklist:

  • Task version was bumped - please check instruction how to do it
  • Checked that applied changes work as expected

@vmapetr vmapetr changed the title [GraldeV2] Remove vulnerable request dependency [Component Governance Alert][GradleV2,3] Fix CVE-2022-24999 May 22, 2023
@vmapetr
Copy link
Contributor Author

vmapetr commented May 22, 2023
edited
Loading

How it was tested:

  • Built & unit tested on the local machine
  • Built & unit tested in CI

@vmapetr vmapetr marked this pull request as ready for review May 22, 2023 15:12
@vmapetr vmapetr requested a review from a team as a code owner May 22, 2023 15:12
@vmapetr vmapetr merged commit 940c3fe into master May 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LiliaSabitova LiliaSabitova LiliaSabitova approved these changes

@kirill-ivlev kirill-ivlev kirill-ivlev approved these changes

@KonstantinTyukalov KonstantinTyukalov KonstantinTyukalov approved these changes

@tkasparek tkasparek tkasparek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vmapetr @tkasparek @KonstantinTyukalov @kirill-ivlev @LiliaSabitova