sonar-scanner-npm icon indicating copy to clipboard operation
sonar-scanner-npm copied to clipboard

Published 20 hours ago verified publisher icon bellingard

Security issue on dependency of dependency bl (download->decompress->decompress-tar->tar-stream->bl) - CVE-2020-8244

Open Rammohanemis opened this issue 5 years ago • 3 comments

CVE-2020-8244 high severity Vulnerable versions: < 2.2.1 Patched version: 2.2.1 A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and <2.2.1 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Rammohanemis avatar Sep 04 '20 06:09 Rammohanemis

We are also getting this alert:

[email protected] └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └── [email protected]

vickyaskham avatar Sep 04 '20 09:09 vickyaskham

believe this is a duplicate of https://github.com/bellingard/sonar-scanner-npm/issues/82

vickyaskham avatar Sep 04 '20 09:09 vickyaskham

believe this is a duplicate of #82

i do not think this is duplicate of #82 issue. That for decompress package vulnerability issue in 4.2.0. Even If we updated decompress package with latest still we will face this issue. Because the fix should come from down the line. bl Package is the dependency of dependency (download->decompress->decompress-tar->tar-stream->bl). In tar-stream Package having fixed version of bl package. so the fix start from decompress-tar Package. already someone raised issue(https://github.com/kevva/decompress-tar/issues/14) regarding this in decompress-tar Repo.

Rammohanemis avatar Sep 04 '20 09:09 Rammohanemis

Hi, this should be fixed with the latest release 2.8.2: https://github.com/bellingard/sonar-scanner-npm/releases/tag/2.8.2

gabssnake avatar Sep 26 '22 14:09 gabssnake