arangodb icon indicating copy to clipboard operation
arangodb copied to clipboard

Published 20 hours ago verified publisher icon arangodb

Vulnerabilities in arangodb 3.11

Open sunil10patil opened this issue 2 years ago • 2 comments

My Environment

  • ArangoDB Version: 3.11
  • Deployment Mode: cluster
  • Deployment Strategy: Manual
  • Configuration:
  • Infrastructure: own
  • Operating System: windows 10
  • Total RAM in your machine: 32gb
  • Disks in use: HDD
  • Used Package:

Component, Query & Data

Affected feature:

AQL query (if applicable):

AQL explain and/or profile (if applicable):

Dataset:

Size of your Dataset on disk:

Replication Factor & Number of Shards (Cluster only):

Steps to reproduce

  1. i have downloaded the source code from gitbhub for 3.11 version
  2. Used Jfrog Xray to run scan on downloaded source code
  3. found the below mentioned vulnetabilities.

Problem: [{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-175028", "severity": 4, "message": "🐸 CVE-2021-23343 - Severity: High\nImpacted Components: path-parse:1.0.5", "source": "JFrog", "startLineNumber": 19, "startColumn": 5, "endLineNumber": 19, "endColumn": 43 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-175028", "severity": 4, "message": "🐸 CVE-2021-23343 - Severity: High\nImpacted Components: path-parse:1.0.6", "source": "JFrog", "startLineNumber": 20, "startColumn": 5, "endLineNumber": 20, "endColumn": 43 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-93302", "severity": 4, "message": "🐸 CVE-2019-20149 - Severity: High\nImpacted Components: kind-of:6.0.2", "source": "JFrog", "startLineNumber": 20, "startColumn": 5, "endLineNumber": 20, "endColumn": 43 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-262079", "severity": 4, "message": "🐸 CVE-2022-38900 - Severity: High\nImpacted Components: decode-uri-component:0.2.0", "source": "JFrog", "startLineNumber": 20, "startColumn": 5, "endLineNumber": 20, "endColumn": 43 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-127745", "severity": 4, "message": "🐸 CVE-2020-7751 - Severity: High\nImpacted Components: pathval:1.1.0", "source": "JFrog", "startLineNumber": 27, "startColumn": 5, "endLineNumber": 27, "endColumn": 21 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-231760", "severity": 4, "message": "🐸 CVE-2020-7677 - Severity: Critical\nImpacted Components: thenify:3.3.0", "source": "JFrog", "startLineNumber": 28, "startColumn": 5, "endLineNumber": 28, "endColumn": 33 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-522313", "severity": 4, "message": "🐸 CVE-2022-25883 - Severity: High\nImpacted Components: semver:5.5.0", "source": "JFrog", "startLineNumber": 28, "startColumn": 5, "endLineNumber": 28, "endColumn": 33 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-262099", "severity": 4, "message": "🐸 CVE-2022-24999 - Severity: High\nImpacted Components: qs:6.5.2", "source": "JFrog", "startLineNumber": 28, "startColumn": 5, "endLineNumber": 28, "endColumn": 33 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-176662", "severity": 4, "message": "🐸 CVE-2021-32640 - Severity: Medium\nImpacted Components: ws:5.2.2", "source": "JFrog", "startLineNumber": 28, "startColumn": 5, "endLineNumber": 28, "endColumn": 33 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-200203", "severity": 4, "message": "🐸 CVE-2021-44906 - Severity: Critical\nImpacted Components: minimist:0.0.8", "source": "JFrog", "startLineNumber": 29, "startColumn": 5, "endLineNumber": 29, "endColumn": 22 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-257996", "severity": 4, "message": "🐸 CVE-2022-3517 - Severity: High\nImpacted Components: minimatch:3.0.4", "source": "JFrog", "startLineNumber": 29, "startColumn": 5, "endLineNumber": 29, "endColumn": 22 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-95385", "severity": 4, "message": "🐸 CVE-2020-7598 - Severity: Medium\nImpacted Components: minimist:0.0.8", "source": "JFrog", "startLineNumber": 29, "startColumn": 5, "endLineNumber": 29, "endColumn": 22 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-200203", "severity": 4, "message": "🐸 CVE-2021-44906 - Severity: Critical\nImpacted Components: minimist:1.2.0", "source": "JFrog", "startLineNumber": 30, "startColumn": 5, "endLineNumber": 30, "endColumn": 25 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-412548", "severity": 4, "message": "🐸 CVE-2022-46175 - Severity: High\nImpacted Components: json5:1.0.1", "source": "JFrog", "startLineNumber": 30, "startColumn": 5, "endLineNumber": 30, "endColumn": 25 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-95385", "severity": 4, "message": "🐸 CVE-2020-7598 - Severity: Medium\nImpacted Components: minimist:1.2.0", "source": "JFrog", "startLineNumber": 30, "startColumn": 5, "endLineNumber": 30, "endColumn": 25 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-522313", "severity": 4, "message": "🐸 CVE-2022-25883 - Severity: High\nImpacted Components: semver:5.5.0", "source": "JFrog", "startLineNumber": 32, "startColumn": 5, "endLineNumber": 32, "endColumn": 24 },{ "resource": "/c:/Users/ru713f/Desktop/test/arangodb-3.11/3rdParty/V8/v7.9.317/tools/turbolizer/package.json", "owner": "generated_diagnostic_collection_name#3", "code": "XRAY-257996", "severity": 4, "message": "🐸 CVE-2022-3517 - Severity: High\nImpacted Components: minimatch:3.0.4", "source": "JFrog", "startLineNumber": 32, "startColumn": 5, "endLineNumber": 32, "endColumn": 24 }]

Expected result:

sunil10patil avatar Sep 08 '23 07:09 sunil10patil

This affects me as well. Are these vulnerabilities mitigated by ArangoDB? It looks like the version of V8 used here (7.9) is from 2019. Node.js 16 LTS, which is now EOL, uses V8 9.0, while Node.js 18 LTS uses V8 10.1. As browsers have also moved on, it looks unlikely these vulnerabilities would be addressed in V8 7.9. What's standing in the way of upgrading ArangoDB's V8 to a more current version?

Edit: looks like #20324 and #20486 fixes this. Is it possible to patch this fix into 3.11 as well?

natejgardner avatar Jan 22 '24 19:01 natejgardner

ArangoDB 3.12 is going to contain an upgraded V8.

dothebart avatar Jan 22 '24 23:01 dothebart