CVE-2022-25881 (High) detected in http-cache-semantics-4.1.0.tgz - autoclosed

[mend-for-github-com]

CVE-2022-25881 - High Severity Vulnerability

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Dependency Hierarchy:

• ms-chromium-edge-driver-0.4.3.tgz (Root Library)
  • got-11.8.5.tgz
    • cacheable-request-7.0.2.tgz
      • ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: cba076465f44b6a819e3cff7986ff4cd21a66371

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25881

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1

[ananzh]

• CVE description

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

• http-cache-semantics usage

yarn why http-cache-semantics
yarn why v1.22.19
[1/4] Why do we have the module "http-cache-semantics"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#geckodriver#got#cacheable-request" depends on it
   - Hoisted from "_project_#geckodriver#got#cacheable-request#http-cache-semantics"
   - Hoisted from "_project_#re2#node-gyp#make-fetch-happen#http-cache-semantics"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "44KB"
info Disk size with transitive dependencies: "44KB"
info Number of shared dependencies: 0
Done in 0.93s.

Action items

geckodriver has a sub dependency of http-cache-semantics 4.1.0.

• Bump geckodriver ??
  Currently, in main, we have geckodriver @3.2.0 which is the highest published version. Therefore we are not able to bump this package.

yarn why geckodriver
yarn why v1.22.19
[1/4] Why do we have the module "geckodriver"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "geckodriver"
info Reasons this module exists
   - "workspace-aggregator-7626bb5e-c07c-4dc4-9fa9-459b7bf79a23" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#geckodriver"
info Disk size without dependencies: "12.81MB"
info Disk size with unique dependencies: "15.51MB"
info Disk size with transitive dependencies: "16.75MB"
info Number of shared dependencies: 22
Done in 0.96s.

• Resolve http-cache-semantics to 4.1.1
  This is the right direction for us to solve the issue.

[ananzh]

@aoguan1990
Since you are our on-call, could you help us to fix this CVE and also backport to the previous branches? (backport 2.x 2.5 1.x and 1.3)

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.