Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Scan "Vulnerability" CVE-2023-29827 #9867

Open
kyle-apex opened this issue Aug 16, 2023 · 3 comments
Open

Security Scan "Vulnerability" CVE-2023-29827 #9867

kyle-apex opened this issue Aug 16, 2023 · 3 comments
Labels

Comments

@kyle-apex
Copy link
Contributor

Describe the bug

@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.

The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?

Thanks!

Relevant Links:
https://nvd.nist.gov/vuln/detail/CVE-2023-29827
GHSA-j5pp-6f4w-r5r6
mde/ejs#720 (comment)

Logs

No response

Additional information

No response

Reproduction

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

@KalleV
Copy link
Contributor

KalleV commented Aug 25, 2023

I don't know if this is the best approach for this but I wanted to offer some help resolving this one: loopbackio/strong-error-handler#219

@achrinza
Copy link
Member

achrinza commented Aug 28, 2023

Thanks for raising the issue, @kyle-apex. Since it's disputed on the merit that it's a misuse of the API to be pssing unsanitised data, it'll be dependent on how strong-error-handler uses the API.

I'll see if I can allocate some time to look into this and ger back to you.

Thanks for the PR, @KalleV; Much appreciated! Since you've kindly submitted a PR, we can probably proceed with merging the changes (after a quick review by the maintainers) regardless of the exploitability of the vulnerability in strong-error-handler.

From this issue, we should have 2 deliverables:

  1. A VEX document (CSAF 2.0) detailing the exploitability - To be published under https://github.com/loopbackio/security
  2. Merging fix(cve-2023-29827): replace EJS with Handlebars to resolve security warning strong-error-handler#219

@ASISBusiness
Copy link

Describe the bug

@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.

The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?

Thanks!

Relevant Links:

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

GHSA-j5pp-6f4w-r5r6

mde/ejs#720 (comment)

Logs

No response

Additional information

No response

Reproduction

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

KalleV added a commit to KalleV/strong-error-handler that referenced this issue Sep 1, 2023
KalleV added a commit to KalleV/strong-error-handler that referenced this issue Nov 8, 2023
KalleV added a commit to KalleV/strong-error-handler that referenced this issue Nov 9, 2023
achrinza pushed a commit to loopbackio/strong-error-handler that referenced this issue Nov 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants