-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚨 HIGH Severity Vulnerability: Package unsafe for use as of v1.1.8 🚨 #136
🚨 HIGH Severity Vulnerability: Package unsafe for use as of v1.1.8 🚨 #136
Comments
CVE-2023-42282 is associated with this issue, mentioning it for cross-reference as well. |
@indutny any update on this? |
Hi @taylorjdawson @carnil @glitch-txs, Notice that [email protected] is affected by CVE-2023-42282 - github/advisory-database#3504 We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free. If relevant, check out our GitHub repo if you wish to learn more, or start using our app. Please feel free to reach us at [email protected] if you have any requests/questions. |
Looks like there is an open PR: #138 that fixes this issue. Any timeline on when it will be merged and released? |
Any update on this? |
There is an open PR for this ... --' |
@mukitmomin @damonholden @aminekun90 notice @mnikolaus 's comment on #138 that the current PR covers only a limited number of cases and as @n0099 mentioned there are many other options |
Are there any known workarounds then? We've had to move our project to critical vulnerability blockers only for this. |
For our project we unfortunately got rid of the library using node-ip |
@damonholden - as others suggested you might try getting rid of node-ip. Alternatively we (Seal Security) released a patch that we believe covers all the cases. You can check out or our GitHub repo and our app - it's free to use for open source projects. |
@levpachmanov, may I ask, was it also your team that reported the issue to NIST in the first place? |
@dchambers no, the credit goes to @cosmosofcyberspace AFAIK. We have only suggested updating the affected version range of the advisory (even though @G-Rath did it first) and trying to help the community remediate the risk. |
I feel that this CVE is less critical than it's made to appear and that this issue (title + description) are a bit alarmist. What's going on here is that the The advisory labels this a high and talks of remote code execution, information disclosure and server-side request forgery. None of that is true when you look at You're only vulnerable to anything remotely close to what the advisory talks about if:
Only then, you have a problem. If you've somehow landed here because your favourite / work imposed security tool is raising an alarm about this, you're probably fine. I suggest that you check for yourself to see if your code is affect. It most likely isn't. I personally did this by searching for |
i am getting this NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks on npm install in my react-native project from today i am unable to understand why this issue is arise but it shows me to downgrade my react native version and i am downgrading the it says upgrading the version so i researched that the npm ip is getting issue from nodemodule file in my project so i find and found this page so please give any solution or suggestion and fix as soon as possible. |
@levpachmanov I'm curious, do you also publish the patches as forks to npm? Then it would be easy to consume as a package resolution override. |
I have submitted a PR (github/advisory-database#3531) to GitHub's advisory database to change it to reflect the reality of the issue and reduce its severity. |
any latest update on this https://security.snyk.io/vuln/SNYK-JS-IP-6240864 ? |
It seems there is a PR (#138) |
Hi @kellyselden @electrovir @mattd-tg @DSurguy-Sterling - since a public fix hasn’t been released yet, we published the versions we patched to NPM as well |
Hi all! We can close this issue. The PR #138 (comment) is now merged and the |
## About the changes Bump IP package that fixes indutny/node-ip#136 vulnerability
## About the changes Bump IP package that fixes indutny/node-ip#136 vulnerability
The CVE reported in the github advisory database is not written correctly. NPM does not accept version v1.1.9 as a patched version as the existing CVE lists affected versions are <=2.0.0. This PR fixes the advisory to accept v1.1.9 as a patched version as well. Any idea when/how CVE can be updated? |
This is not resolved in 1.1.9/2.0.1. See #143 for more details. |
Can the maintainer/group with Write access take a look at #144? |
1.1.8-sp this patch version not found in registry https://registry.npmjs.org/ip/-/ip-1.1.8-sp.tgz |
Until PR is merge to mitigate this attack vector, package should be deemed unsafe for use.
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks, see GitHub advisory for more information.
The text was updated successfully, but these errors were encountered: