Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz #1084

Closed
mend-for-github-com bot opened this issue Jan 4, 2022 · 7 comments · Fixed by #1320
Closed

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz #1084

mend-for-github-com bot opened this issue Jan 4, 2022 · 7 comments · Fixed by #1320
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Jan 4, 2022
edited
Loading

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

  • has-ansi-3.0.0.tgz (Root Library)
    • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Dependency Hierarchy:

  • github-checks-reporter-0.0.20-b3.tgz (Root Library)
    • strip-ansi-5.2.0.tgz
      • ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (has-ansi): 5.0.0
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 4, 2022
@tmarkley tmarkley added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 4, 2022
@tmarkley
Copy link
Contributor

tmarkley commented Jan 6, 2022
edited
Loading 

$ yarn why ansi-regex
yarn why v1.22.17
[1/4] Why do we have the module "ansi-regex"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "ansi-regex"
info Reasons this module exists
   - "workspace-aggregator-951a1914-7a65-48a8-9ec3-0f4c55d91856" depends on it
   - Hoisted from "_project_#elasticsearch#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#inquirer#ansi-regex"
   - Hoisted from "_project_#elasticsearch#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@elastic#makelogs#update-notifier#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@elastic#makelogs#update-notifier#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#cli-truncate#string-width#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#npmlog#gauge#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "has-ansi#[email protected]"
info This module exists because "_project_#has-ansi" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "pretty-format#[email protected]"
info This module exists because "_project_#pretty-format" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "strip-ansi#[email protected]"
info This module exists because "_project_#strip-ansi" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "grunt-run#[email protected]"
info Reasons this module exists
   - "_project_#grunt-run#strip-ansi" depends on it
   - Hoisted from "_project_#grunt-run#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/strip-ansi#[email protected]"
info Reasons this module exists
   - "_project_#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@elastic/github-checks-reporter#[email protected]"
info Reasons this module exists
   - "_project_#@elastic#github-checks-reporter#strip-ansi" depends on it
   - Hoisted from "_project_#@elastic#github-checks-reporter#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "eslint#[email protected]"
info Reasons this module exists
   - "_project_#eslint#strip-ansi" depends on it
   - Hoisted from "_project_#eslint#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/jest#[email protected]"
info Reasons this module exists
   - "_project_#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "license-checker#[email protected]"
info Reasons this module exists
   - "_project_#license-checker#chalk#has-ansi" depends on it
   - Hoisted from "_project_#license-checker#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#license-checker#chalk#strip-ansi#ansi-regex"
info Disk size without dependencies: "12KB"
info Disk size with unique dependencies: "12KB"
info Disk size with transitive dependencies: "12KB"
info Number of shared dependencies: 0
=> Found "grunt-available-tasks#[email protected]"
info Reasons this module exists
   - "_project_#grunt-available-tasks#chalk#has-ansi" depends on it
   - Hoisted from "_project_#grunt-available-tasks#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#grunt-available-tasks#chalk#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@osd/pm#[email protected]"
info Reasons this module exists
   - "_project_#@osd#pm#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#pm#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@osd/test#[email protected]"
info Reasons this module exists
   - "_project_#@osd#test#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#test#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "yargs#[email protected]"
info Reasons this module exists
   - "_project_#yargs#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "cliui#[email protected]"
info Reasons this module exists
   - "_project_#yargs#cliui#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#cliui#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/testing-library__jest-dom#[email protected]"
info Reasons this module exists
   - "_project_#@types#testing-library__jest-dom#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@types#testing-library__jest-dom#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "webpack-dev-server#[email protected]"
info Reasons this module exists
   - "_project_#@osd#ui-framework#webpack-dev-server#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#ui-framework#webpack-dev-server#strip-ansi#ansi-regex"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@osd/ui-framework#[email protected]"
info Reasons this module exists
   - "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#has-ansi" depends on it
   - Hoisted from "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wide-align#[email protected]"
info Reasons this module exists
   - "_project_#mocha#wide-align#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#mocha#wide-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wrap-ansi#[email protected]"
info Reasons this module exists
   - "_project_#yargs#cliui#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#cliui#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "table#[email protected]"
info Reasons this module exists
   - "_project_#eslint#table#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#eslint#table#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@testing-library/jest-dom#[email protected]"
info Reasons this module exists
   - "_project_#@testing-library#jest-dom#@types#testing-library__jest-dom#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@testing-library#jest-dom#@types#testing-library__jest-dom#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "sass-lint#table#[email protected]"
info Reasons this module exists
   - "_project_#sass-lint#eslint#table#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#sass-lint#eslint#table#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "log-update#[email protected]"
info Reasons this module exists
   - "_project_#listr#listr-update-renderer#log-update#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#listr#listr-update-renderer#log-update#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "ansi-align#[email protected]"
info Reasons this module exists
   - "_project_#@elastic#safer-lodash-set#tsd#update-notifier#boxen#ansi-align#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#@elastic#safer-lodash-set#tsd#update-notifier#boxen#ansi-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
Done in 1.60s.

@tmarkley
Copy link
Contributor

tmarkley commented Jan 6, 2022
edited
Loading 

$ npm ls ansi-regex
[email protected] /home/ubuntu/ws/OpenSearch-Dashboards
├─┬ @elastic/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ @elastic/[email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     ├─┬ [email protected]
│     │ └── [email protected] deduped
│     └─┬ [email protected]
│       └── [email protected] deduped
├─┬ @elastic/[email protected] -> ./packages/opensearch-safer-lodash-set
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └─┬ [email protected]
│           └─┬ [email protected]
│             └── [email protected]
├─┬ @osd/[email protected] -> ./packages/osd-optimizer
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ ├─┬ [email protected]
│   │ │ └── [email protected] deduped
│   │ └─┬ [email protected]
│   │   └── [email protected] deduped
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected] deduped
├─┬ @osd/[email protected] -> ./packages/osd-pm
│ └─┬ @types/[email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ @osd/[email protected] -> ./packages/osd-test
│ └─┬ @types/[email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ @osd/[email protected] -> ./packages/osd-ui-framework
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   ├─┬ [email protected]
│ │   │ └── [email protected]
│ │   └─┬ [email protected]
│ │     └── [email protected] deduped
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ @testing-library/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ @testing-library/[email protected]
│ └─┬ @types/[email protected]
│   └─┬ @types/[email protected]
│     └─┬ [email protected]
│       └── [email protected]
├─┬ @types/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ @types/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ @types/[email protected]
│ └─┬ @types/[email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └── [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └── [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └── [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └─┬ [email protected]
│   │   └── [email protected] deduped
│   ├─┬ [email protected]
│   │ └─┬ [email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected] deduped
│   ├─┬ [email protected]
│   │ └─┬ [email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected]
│   └─┬ [email protected]
│     └── [email protected] deduped
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └─┬ [email protected]
│ │     └── [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ ├─┬ [email protected]
│   │ │ └── [email protected]
│   │ └─┬ [email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ ├─┬ [email protected]
│   │ │ └── [email protected] deduped
│   │ └─┬ [email protected]
│   │   └── [email protected] deduped
│   ├─┬ [email protected]
│   │ └── [email protected] deduped
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected]
└─┬ [email protected]
  └── [email protected]

@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3807 (High) detected in ansi-regex-5.0.0.tgz, ansi-regex-4.1.0.tgz CVE-2021-3807 (High) detected in multiple libraries Jan 14, 2022
@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3807 (High) detected in multiple libraries CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz Feb 9, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@rshen91
feat(a11y): add basic aria-label to canvas element (opensearch-projec…
d4b3e4f 
…t#1084)
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@semantic-release-bot
chore(release): 26.1.0 [skip ci]
fd910a5 
# [26.1.0](elastic/elastic-charts@v26.0.0...v26.1.0) (2021-03-26)

### Features

* **a11y:** add basic aria-label to canvas element ([opensearch-project#1084](elastic/elastic-charts#1084)) ([d4b3e4f](elastic/elastic-charts@d4b3e4f))
* **xy_charts:** render legend inside the chart ([opensearch-project#1031](elastic/elastic-charts#1031)) ([b271d09](elastic/elastic-charts@b271d09)), closes [opensearch-project#861](elastic/elastic-charts#861)
@tmarkley tmarkley self-assigned this Feb 14, 2022
@tmarkley tmarkley mentioned this issue Mar 1, 2022
Merged
7 tasks
This was referenced Mar 3, 2022
Closed
Closed
@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz Mar 3, 2022
@tmarkley tmarkley added the v2.0.0 label Mar 4, 2022
tmarkley pushed a commit to tmarkley/OpenSearch-Dashboards that referenced this issue Mar 4, 2022
@Tengda-He
Resolves ansi-regex to v5.0.1
d99bbd0 
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves opensearch-project#1084

Signed-off-by: Tengda He <[email protected]>
tmarkley pushed a commit to tmarkley/OpenSearch-Dashboards that referenced this issue Mar 4, 2022
@Tengda-He
Resolves ansi-regex to v5.0.1
8db2ea7 
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves opensearch-project#1084

Signed-off-by: Tengda He <[email protected]>
tmarkley pushed a commit that referenced this issue Mar 4, 2022
@Tengda-He
Resolves ansi-regex to v5.0.1
bab6e85 
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves #1084

Signed-off-by: Tengda He <[email protected]>
@tmarkley tmarkley mentioned this issue Mar 4, 2022
Merged
7 tasks
tmarkley pushed a commit that referenced this issue Mar 14, 2022
Resolves ansi-regex to v5.0.1 (#1320)
15e4bc2 
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves #1084

Signed-off-by: Tengda He <[email protected]>
@tmarkley tmarkley mentioned this issue Apr 13, 2022
Open
@minutolc
Copy link

this issue is closed but I still have this CVE detected in the 1.3.2 versions or 2.0.0-rc1 version of opensearch dashboard. Anyone can explain if this issue is really done or not ?

@tmarkley
Copy link
Contributor

Hi @minutolc, yes this CVE is addressed in 2.0:

OpenSearch-Dashboards/package.json

Line 78 in 5c00c1e

"**/ansi-regex": "^5.0.1",

It's not fixed in 1.3.2 because the fix involves a breaking change.

@minutolc
Copy link

minutolc commented May 10, 2022
edited
Loading

Is it normal that i detect it also in 2.0.0-rc1 ? or it would be correct only in 2.0.0 ?

@tmarkley
Copy link
Contributor

The CVE is mitigated in 2.0.0-rc1 as well, so no that's not normal. Can you provide details about how you're detecting the CVE?

@minutolc
Copy link

minutolc commented May 11, 2022
edited
Loading

I use Anchore in order to detect CVE :

result from Anchore

stop : vulnerabilities / package / HIGH Vulnerability found in non-os package type (npm) - /usr/share/opensearch-dashboards/plugins/notificationsDashboards/node_modules/wrap-ansi/node_modules/ansi-regex/package.json (CVE-2021-3807 - https://nvd.nist.gov/vuln/detail/CVE-2021-3807)

@ZilongX ZilongX mentioned this issue Sep 28, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolves ansi-regex to v5.0.1 tmarkley/OpenSearch-Dashboards
2 participants
@tmarkley @minutolc