Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-46175 (High) detected in json5-1.0.1 #3305

Closed
jovancacvetkovic opened this issue Jan 23, 2023 · 2 comments
Closed

CVE-2022-46175 (High) detected in json5-1.0.1 #3305

jovancacvetkovic opened this issue Jan 23, 2023 · 2 comments
Assignees
@ananzh
Labels
cve Security vulnerabilities detected by Dependabot or Mend

Comments

@jovancacvetkovic
Copy link

CVE-2022-46175 - High Severity Vulnerability

Vulnerability Library - JSON5 - 1.0.1 

JSON5 - 1.0.1 (current version)
Found in base branch: main

CVSS 3 Score Details - (7.1)

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: Dec 16, 2022

Fix Resolution: json5 - 1.0.2

More Info

json5 issue resolved with #295
@jovancacvetkovic jovancacvetkovic added bug Something isn't working untriaged labels Jan 23, 2023
@jovancacvetkovic jovancacvetkovic mentioned this issue Jan 23, 2023
Closed
@ananzh ananzh self-assigned this Jan 23, 2023
@ananzh
Copy link
Member

ananzh commented Jan 26, 2023 

ubuntu@ip-172-31-55-237:~/OpenSearch-Dashboards$ yarn why json5
yarn why v1.22.19
[1/4] Why do we have the module "json5"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "json5"
info Reasons this module exists
   - "workspace-aggregator-6a855179-4ba4-4c78-a987-b6a2e093fc8b" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#json5"
   - Hoisted from "_project_#eslint-plugin-import#tsconfig-paths#json5"
info Disk size without dependencies: "112KB"
info Disk size with unique dependencies: "216KB"
info Disk size with transitive dependencies: "216KB"
info Number of shared dependencies: 1
=> Found "@babel/core#[email protected]"
info This module exists because "_project_#@babel#core" depends on it.
info Disk size without dependencies: "292KB"
info Disk size with unique dependencies: "292KB"
info Disk size with transitive dependencies: "292KB"
info Number of shared dependencies: 0
=> Found "loader-utils#[email protected]"
info This module exists because "_project_#@osd#ui-shared-deps#loader-utils" depends on it.
info Disk size without dependencies: "292KB"
info Disk size with unique dependencies: "292KB"
info Disk size with transitive dependencies: "292KB"
info Number of shared dependencies: 0
Done in 0.94s.

@ananzh
Copy link
Member

ananzh commented Jan 26, 2023

We don't have json5 1.0.1 any more
It has been bumped in this PR: #3201

Close this issue

@ananzh ananzh closed this as completed Jan 26, 2023
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend and removed bug Something isn't working labels Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ananzh ananzh

Labels
cve Security vulnerabilities detected by Dependabot or Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuarrrr @jovancacvetkovic @ananzh