clamav-rest-api icon indicating copy to clipboard operation
clamav-rest-api copied to clipboard

Published 20 hours ago verified publisher icon benzino77

Open vulnerabilities for express-fileupload

Open jhtann opened this issue 10 months ago • 3 comments

Currently, at the latest master e107592, I've observed that express-fileupload using version 1.4.0, which exposes vulnerabilities CVE-2022-27140 (critical) and CVE-2022-27261 (high).

Despite upgrading to version 1.5.0, both vulnerabilities persist in the Express-fileupload library.

Details:

CVE-2022-27140 (CRITICAL): being disputed in the NIST database CVE-2022-27261 (HIGH): still open, might pose a risk for file overwrite

Previous Discussions:

Issue #312: Link Issue #316: Link

Do we assess the risks associated with these vulnerabilities, given that we are using express-fileupload: 1.4.0?

jhtann avatar Apr 19 '24 03:04 jhtann

Hi,

Based on the CVE links you provided v1.4.0 version of express-fileupload is not vulnerable. Based on the Issue links you provided it is also indicated that the vulnerability is "questionable":

image

CVE-2022-27140 is marked as "disputed".

benzino77 avatar Apr 21 '24 12:04 benzino77

yea, is there any plan to upgrade the version express-fileupload to 1.5.0, even the "disputed" cve existed in latest version 🤔

jhtann avatar Apr 22 '24 03:04 jhtann

Will take a look at that after my vacations.

benzino77 avatar Apr 25 '24 08:04 benzino77

Looks like v1.5.0 brings some "unexpected" breaking changes. For now I've upgraded express-fileupload package to v1.4.3 and push new docker image to repository. When I have more time, I will try to investigate why clamav-rest-api is not working as expected with version v1.5.0.

benzino77 avatar May 10 '24 17:05 benzino77

thanks @benzino77 for the update and finding 👍

jhtann avatar May 11 '24 09:05 jhtann

I have updated express-fileupload to v1.5.0 and pushed new docker image version.

benzino77 avatar Jun 08 '24 07:06 benzino77