Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2023-45857] Axios Cross-Site Request Forgery Vulnerability in transitive dependency #1440

Open
patricknick opened this issue Nov 14, 2023 · 3 comments
Open

[CVE-2023-45857] Axios Cross-Site Request Forgery Vulnerability in transitive dependency #1440

patricknick opened this issue Nov 14, 2023 · 3 comments
Labels
area/mixins Custom mixin code help-wanted We'd love your contributions on this issue impact/security kind/bug Some behavior is incorrect or out of spec

Comments

@patricknick
Copy link

patricknick commented Nov 14, 2023
edited

What happened?

Github currently reports a vulnerability for Axios on the versions >= 0.8.1, < 1.6.0. Axios is used in adal-node, a transitive dependency of azure/ms-rest-nodeauth, which again is used by pulumi/azure.

When investigating the dependency chain, I noticed that adal-node is no longer maintained. azure/ms-rest-nodeauth is also not longer actively developed and is not planning to removed adal-node. See Azure/ms-rest-nodeauth#128. Instead, they suggest to migrate to @azure/identity.

This is blocking us from addressing the initial Axios security warning. Do you have plans to migrate away from azure/ms-rest-nodeauth?

Example

N/A

Output of pulumi about

N/A

Additional context

Affects @pulumi/azure v5.55.0

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@patricknick patricknick added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 14, 2023
@mikhailshilkov mikhailshilkov added impact/security area/mixins Custom mixin code and removed needs-triage Needs attention from the triage team labels Nov 15, 2023
@mikhailshilkov
Copy link
Member

Yes, thank you for bringing this up, we use that dependency in our callback function mixins. Any chance you have bandwidth to try to open a PR for such an upgrade?

@mikhailshilkov mikhailshilkov added the help-wanted We'd love your contributions on this issue label Nov 15, 2023
@levpachmanov
Copy link

Hey @patricknick @mikhailshilkov,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an axios 0.27.2-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

@patricknick
Copy link
Author

patricknick commented Nov 29, 2023
edited

@mikhailshilkov I looked briefly into the required upgrade steps to @azure/identity. Most of it does seem straight-forward, there is a migration guide available.

However, the new package is constructed a bit differently from the old one, meaning, not all options that Pulumi uses (for example ARM_MSI_ENDPOINT) are available anymore. I think a bit of knowledge about Azure Identity Management and the Pulumi codebase is required to make this change solid. Unfortunately, I don't know either, and the required ramp up does exceed my bandwidth at the moment. Or do you have any resources that could help with this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/mixins Custom mixin code help-wanted We'd love your contributions on this issue impact/security kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikhailshilkov @patricknick @levpachmanov