loopback-next icon indicating copy to clipboard operation
loopback-next copied to clipboard

Published 20 hours ago verified publisher icon loopbackio

Security Scan "Vulnerability" CVE-2023-29827

Open kyle-apex opened this issue 1 year ago • 3 comments

Describe the bug

@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.

The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?

Thanks!

Relevant Links: https://nvd.nist.gov/vuln/detail/CVE-2023-29827 https://github.com/advisories/GHSA-j5pp-6f4w-r5r6 https://github.com/mde/ejs/issues/720#issuecomment-1587399501

Logs

No response

Additional information

No response

Reproduction

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

kyle-apex avatar Aug 16 '23 19:08 kyle-apex

I don't know if this is the best approach for this but I wanted to offer some help resolving this one: https://github.com/loopbackio/strong-error-handler/pull/219

KalleV avatar Aug 25 '23 11:08 KalleV

Thanks for raising the issue, @kyle-apex. Since it's disputed on the merit that it's a misuse of the API to be pssing unsanitised data, it'll be dependent on how strong-error-handler uses the API.

I'll see if I can allocate some time to look into this and ger back to you.

Thanks for the PR, @KalleV; Much appreciated! Since you've kindly submitted a PR, we can probably proceed with merging the changes (after a quick review by the maintainers) regardless of the exploitability of the vulnerability in strong-error-handler.

From this issue, we should have 2 deliverables:

  1. A VEX document (CSAF 2.0) detailing the exploitability - To be published under https://github.com/loopbackio/security
  2. Merging https://github.com/loopbackio/strong-error-handler/pull/219

achrinza avatar Aug 28 '23 10:08 achrinza

Describe the bug

@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.

The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?

Thanks!

Relevant Links:

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

https://github.com/advisories/GHSA-j5pp-6f4w-r5r6

https://github.com/mde/ejs/issues/720#issuecomment-1587399501

Logs

No response

Additional information

No response

Reproduction

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

ASISBusiness avatar Aug 28 '23 10:08 ASISBusiness