apollographql
chore(deps): update dependency gatsby to v4.25.7 [security]
This PR contains the following updates:
| Package | Type | Update | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|---|---|
| gatsby | 4.25.4 -> 4.25.7 |
||||||
| gatsby (source, changelog) | dependencies | patch | 4.25.4 -> 4.25.7 |
GitHub Vulnerability Alerts
CVE-2023-34238
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).
The following steps can be used to reproduce the vulnerability:
# Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site
# Start the Gatsby develop server
$ gatsby develop
# Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"
# Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"
It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.
Patches
A patch has been introduced in [email protected] and [email protected] which mitigates the issue.
Workarounds
As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.
We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.
For more information
Email us at [email protected].
Gatsby develop server has Local File Inclusion vulnerability
CVE-2023-34238 / GHSA-c6f8-8r25-c4gc
More information
Details
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).
The following steps can be used to reproduce the vulnerability:
##### Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site
##### Start the Gatsby develop server
$ gatsby develop
##### Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"
##### Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"
It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.
Patches
A patch has been introduced in [email protected] and [email protected] which mitigates the issue.
Workarounds
As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.
We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.
For more information
Email us at [email protected].
Severity
- CVSS Score: 4.3 / 10 (Medium)
- Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
- https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc
- https://nvd.nist.gov/vuln/detail/CVE-2023-34238
- https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c
- https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7
- https://github.com/gatsbyjs/gatsby
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.
Deploy Preview for apollo-monodocs ready!
| Name | Link |
|---|---|
| Latest commit | e57084423a0a444f9452095a0b63e767cae39609 |
| Latest deploy log | https://app.netlify.com/sites/apollo-monodocs/deploys/667aafd1a5ce66000897d168 |
| Deploy Preview | https://deploy-preview-679--apollo-monodocs.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
Lighthouse |
1 paths audited Performance: 31 (🔴 down 26 from production) Accessibility: 85 (no change from production) Best Practices: 92 (no change from production) SEO: 89 (🟢 up 8 from production) PWA: 50 (🟢 up 10 from production) View the detailed breakdown and full score reports |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}