docusign-esign-node-client icon indicating copy to clipboard operation
docusign-esign-node-client copied to clipboard
verified publisher icon docusign

Security Vulnerability : pac-resolver

Open Adhikaripr opened this issue 2 years ago • 8 comments

Introduced through: [email protected][email protected][email protected][email protected][email protected]

Overview Affected versions of this package are vulnerable to Remote Code Execution (RCE). This can occur when used with untrusted input, due to unsafe PAC file handling.

In order to exploit this vulnerability in practice, this either requires an attacker on your local network, a specific vulnerable configuration, or some second vulnerability that allows an attacker to set your config values. https://security.snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857

Remediation Upgrade pac-resolver to version 5.0.0 or higher.

Adhikaripr avatar Sep 06 '23 10:09 Adhikaripr

Hi Adhikaripr,

Thank you for contacting DocuSign Developer Support.  We have raised this internally and will let you know as soon as we have an update.

Best regards, Conar | DocuSign Developer Support

cbsdsdevsup avatar Sep 06 '23 21:09 cbsdsdevsup

Any updates on this? In this particular case is this not an issue or if it's an issue are there recommendation temporary remediations?

Screenshot 2023-09-11 at 12 46 51 PM

OscarGodson avatar Sep 11 '23 19:09 OscarGodson

Any updates on this? In this particular case is this not an issue or if it's an issue are there recommendation temporary remediations?

Screenshot 2023-09-11 at 12 46 51 PM

Hi @OscarGodson, our team has a ticket to address the security vulnerability introduced by pac-resolver and have prioritized the fix in our next sprint. In the meantime, you and can remediate the vulnerability by upgrading pac-resolver to version 5.0.0 or higher.

annesophien avatar Sep 12 '23 22:09 annesophien

We don't use pac resolver so it's not in our package.json so I'm not sure how to upgrade it.

OscarGodson avatar Sep 12 '23 22:09 OscarGodson

Hi @OscarGodson ,

It is actually "[email protected]" (in the package.json) whose dependencies ([email protected] -> [email protected] -> [email protected]) uses pac-resolver. So you can either upgrade superagent-proxy to 3.0.0 or downgrade the docusign-esign package to 6.3.0.

package.json "superagent-proxy": "^2.0.0"

Let us know if you are happy for us to close this case.

Best regards, Conar | DocuSign Developer Support

cbsdsdevsup avatar Sep 13 '23 22:09 cbsdsdevsup

Is there an update regarding the pac-resolver vulnerability. Can we get a status update on the fix? Has it been addressed in the recent sprint as mentioned?

Thanks for keeping us informed.

juniorp07 avatar Oct 23 '23 14:10 juniorp07

@annesophien @cbsdsdevsup this seems like a pretty straight forward fix. But it looks like the pac-resolver fix was deployed and then rolled back. Do you have an update on what's going on here? It's taken 3 months to resolve which is a little disconcerting.

comp615 avatar Nov 17 '23 15:11 comp615

It seems that this was fixed on 6.3.0 and is back on 6.5.1.

joaomvfsantos avatar Dec 11 '23 12:12 joaomvfsantos

Hello All,

We've removed the vulnerability and You can now access the updated version, here 6.6.0-rc2.

Please find further updates in this issue

sonawane-sanket avatar May 17 '24 07:05 sonawane-sanket

We're excited to announce the release of the public version 7.0.0. We encourage you to upgrade and check out the changelog here.

sonawane-sanket avatar May 23 '24 07:05 sonawane-sanket