ali-oss icon indicating copy to clipboard operation
ali-oss copied to clipboard
verified publisher icon ali-sdk

【安全漏洞】NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

Open xiaweiss opened this issue 1 year ago • 3 comments

[email protected] => [email protected] => [email protected]

image

xiaweiss avatar Feb 20 '24 05:02 xiaweiss

see pr: https://github.com/ali-sdk/ali-oss/pull/1292

xiaweiss avatar Feb 20 '24 05:02 xiaweiss

Hi , I see the PR https://github.com/ali-sdk/ali-oss/pull/1292 got closed... will this be handled ?

taltal78 avatar Jun 03 '24 09:06 taltal78

This vulnerability still exists... how would this be handled ? urllib latest version is available which is free from vulnerability Thanks

I072744 avatar Jun 04 '24 09:06 I072744

Hi @xiaweiss , any updates on this topic? I see the PR https://github.com/ali-sdk/ali-oss/pull/1292 got closed... will this be handled?

borisLipmanovich avatar Jul 23 '24 08:07 borisLipmanovich

@borisLipmanovich PR #1292 closed, but not merged. holy shit!

urllib version is still 2.41.0 https://github.com/ali-sdk/ali-oss/blob/master/package.json#L156

xiaweiss avatar Jul 23 '24 08:07 xiaweiss

@xiaweiss, indeed :) Can anyone handle it?

borisLipmanovich avatar Jul 23 '24 08:07 borisLipmanovich

@borisLipmanovich No one is dealing with it, Alibaba doesn't take security seriously, it can be ignored

xiaweiss avatar Jul 23 '24 08:07 xiaweiss

@xiaweiss, This vulnerability has CVSS 8.6. Maybe you can reopen the PR as it was closed without merging? https://github.com/ali-sdk/ali-oss/pull/1292

borisLipmanovich avatar Jul 23 '24 09:07 borisLipmanovich

@borisLipmanovich please @ repo owner,not me.

xiaweiss avatar Jul 23 '24 09:07 xiaweiss

I'm just giving feedback, I don't have any access

xiaweiss avatar Jul 23 '24 09:07 xiaweiss

Version 6.21.0 has been released

YunZZY avatar Aug 16 '24 08:08 YunZZY