cross-fetch icon indicating copy to clipboard operation
cross-fetch copied to clipboard

Published 20 hours ago verified publisher icon lquixada

CVE-2022-2596 (Medium) detected in node-fetch-2.6.7.tgz

Open vidyashv-carbon opened this issue 3 years ago • 2 comments

white source is reporting CVE-2022-2596 issue for node-fetch 2.6.7. Please update note-fetch to 3.2.10 ,more details on issue

Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.

Publish Date: 2022-08-01

URL: CVE-2022-2596

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2596

Release Date: 2022-08-01

Fix Resolution: node-fetch - 3.2.10

vidyashv-carbon avatar Aug 09 '22 07:08 vidyashv-carbon

Any update on this issue?

vidyashv-carbon avatar Aug 16 '22 10:08 vidyashv-carbon

Hi @lquixada - Can you please let us know if there is any update on this issue? I see there is a open PR https://github.com/lquixada/cross-fetch/pull/144

Thanks in advance, Rakesh

rakeshp89 avatar Aug 24 '22 13:08 rakeshp89

This was marked as ignored or false from the team and it auto resolved.

On Wed, Aug 24, 2022 at 7:28 PM rakeshp89 @.***> wrote:

Hi @lquixada https://github.com/lquixada - Can you please let us know if there is any update on this issue? I see there is a open PR #144 https://github.com/lquixada/cross-fetch/pull/144

Thanks in advance, Rakesh

— Reply to this email directly, view it on GitHub https://github.com/lquixada/cross-fetch/issues/143#issuecomment-1225765574, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJKCKFE5HAUK2RTTLSIUV3V2YTBPANCNFSM557VJXGA . You are receiving this because you authored the thread.Message ID: @.***>

--

Thanks & Regards Vidyashri

vidyashv-carbon avatar Sep 23 '22 08:09 vidyashv-carbon

Can we get an estimate on when this issue will be addressed?

katsoohoo avatar Oct 10 '22 23:10 katsoohoo

new fixed version of [email protected] is finally released. Current package.json of cross-fetch allows update from 2.6.7 to new 2.6.8 to resolve this warnings.

@lquixada - can you please release a new bugfix version to (3.1.6?) with this new dependency? Published version 3.1.5 is hard-coded to 2.6.7 unfortunately...

dev-trilobyte avatar Jan 13 '23 14:01 dev-trilobyte

New node-fetch version 2.6.8 fixing this issue is released. @lquixada can you please update your package.json to use 2.6.8 instead of hard-coded 2.6.7 and release a new bugfix version with this minimal fix?

Thank in advance

sseide avatar Jan 26 '23 09:01 sseide

Will close this since author reported issue as ignored or false. Also CVE-2022-2596 seems to be related to node-fetch >= 3.0.0, < 3.2.10 which cross-fetch doesn't rely on.

This was marked as ignored or false from the team and it auto resolved. On Wed, Aug 24, 2022 at 7:28 PM rakeshp89 @.> wrote: Hi @lquixada https://github.com/lquixada - Can you please let us know if there is any update on this issue? I see there is a open PR #144 <#144> Thanks in advance, Rakesh — Reply to this email directly, view it on GitHub <#143 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJKCKFE5HAUK2RTTLSIUV3V2YTBPANCNFSM557VJXGA . You are receiving this because you authored the thread.Message ID: @.> -- Thanks & Regards Vidyashri

lquixada avatar May 14 '23 14:05 lquixada

@dev-trilobyte @sseide [email protected] has been released this morning with [email protected]. Hopefully that will help you both.

lquixada avatar May 14 '23 14:05 lquixada