Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-6h5x-7c5m-7cr7] Exposure of Sensitive Information in eventsource #373

Conversation

DaleGardner
Copy link

Updates

  • Affected products
  • References

@github-actions github-actions bot changed the base branch from main to DaleGardner/advisory-improvement-373 June 9, 2022 21:11
@DaleGardner
Copy link
Author

DaleGardner commented Jun 9, 2022

I confirmed with multiple security scans across multiple projects that v1.1.1 was still vulnerable.

I created a PR to remove v1.1.1 as a "patched" version, here: #366

However, that PR was incorrectly closed after a cursory review.

I then posted about the vulnerability on eventsource repo and a maintainer responded and then created a new version (v1.1.2) to fix the vulnerability. That PR is here: EventSource/eventsource#281

Following along that path, this PR now updates to indicate v1.1.2 as a patched version, and versions beneath that as affected.

Please do not close this PR. It should be reviewed and merged to update the advisory correctly.

@darakian
Copy link
Contributor

darakian commented Jun 9, 2022

Hey @DaleGardner, please re-read this comment EventSource/eventsource#273 (comment)

As my colleague has already made clear here this GHSA applies only to the lack of header removal. Please make a request to the eventsource project maintainers for a new GHSA and we would be happy to include that in our database should they make one.

@DaleGardner
Copy link
Author

DaleGardner commented Jun 10, 2022

Hey @DaleGardner, please re-read this comment EventSource/eventsource#273 (comment)

As my colleague has already made clear here this GHSA applies only to the lack of header removal. Please make a request to the eventsource project maintainers for a new GHSA and we would be happy to include that in our database should they make one.

@darakian My apologies. I guess the coincidence of having two security issues fixed in the same version (2.0.2) of the same repo at the same time got me confused when someone else was claiming they were resolved in 1.1.1 based on the advisory, when apparently only one of the two was backported to 1.1.1 at that time, and now 1.1.2 corrects the other, ugh.

I'll close this

@github-actions github-actions bot deleted the DaleGardner-GHSA-6h5x-7c5m-7cr7 branch June 10, 2022 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants