Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilityCVE-2022-23540, CVE-2022-23539, CVE-2022-23541, CVE-2022-23529 #4400

Closed
Zebin-Zhou opened this issue Dec 28, 2022 · 4 comments · Fixed by #4409
Closed

Security vulnerabilityCVE-2022-23540, CVE-2022-23539, CVE-2022-23541, CVE-2022-23529 #4400

Zebin-Zhou opened this issue Dec 28, 2022 · 4 comments · Fixed by #4409
Assignees
@JuanAr
Labels
bug Indicates an unexpected problem or an unintended behavior. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report.

Comments

@Zebin-Zhou
Copy link

Zebin-Zhou commented Dec 28, 2022
edited
Loading

The dependence jsonwebtoken-8.5.1 should be update to 9.0.0
@Zebin-Zhou Zebin-Zhou added bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team. labels Dec 28, 2022
@Zebin-Zhou Zebin-Zhou mentioned this issue Dec 28, 2022
Open
@tracyboehrer
Copy link
Member

There was a PR for this, but it's still being detected. Maybe through another dependency?

image

@artificialrobot
Copy link

@tracyboehrer @azure/msal-node uses jsonwebtoken which is a transitive dependency from @azure/identity, msal-node bumped their version here AzureAD/microsoft-authentication-library-for-js#5503 but have not published a new release. So I think there is a patch train that needs to happen to get this cleared out...

@tracyboehrer tracyboehrer added ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report. and removed needs-triage The issue has just been created and it has not been reviewed by the team. labels Jan 5, 2023
@vhensorskyi
Copy link

Hi guys,

Is there any update on the vulnerability? When is it going to be fixed and a new version released?

@erquirogasw erquirogasw mentioned this issue Jan 16, 2023
Merged
@aslubsky
Copy link

Hey @tracyboehrer is there any ETA when this fix can be published on npm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JuanAr JuanAr

Labels
bug Indicates an unexpected problem or an unintended behavior. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report.
Projects
None yet
Milestone
No milestone
8 participants
@artificialrobot @aslubsky @JuanAr @tracyboehrer @johnataylor @BruceHaley @vhensorskyi @Zebin-Zhou