- ABP Framework version: v8.0.0
- UI Type: MVC
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): separated
Hi,
Over the last 11 months, we've been using ABP, and we are happy about it. However, I have been ignoring some key security alerts emitted by GitHub Dependabot and I'd like to know if the ABP team is currently using something along the lines and, also, when there will be an update to the following vulnerabilities:
HIGH
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) via IPv4-mapped IPv6 addresses.
- @volo/account@8.0.0 requires uppy@^1.16.1 via @abp/uppy@8.0.0.
- Patched version is 2.3.3
- This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
- @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0
- Patched version is 5.1.2
MEDIUM
- ReDoS in Sec-Websocket-Protocol header - A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
- @volo/account@8.0.0 requires ws@~6.1.0 via a transitive dependency on engine.io-client@3.3.3
- The earliest fixed version is 6.2.2.
LOW
- sweetalert2 v11.6.14 and above contains potentially undesirable behavior - sweetalert2 versions 11.6.14 and above have potentially undesirable behavior. The package outputs audio and/or video messages that do not pertain to the functionality of the package when run on specific tlds. This functionality is documented on the project's readme
Please, let me know how I can ensure my apps are up-to-date and compliant with the latest security standards. Thanks!
5 Answer(s)
-
0
hi
We have fixed the
uppy
in 8.1https://support.abp.io/QA/Questions/6369/Front-end-package-vulnerability-uppy
-
0
I will check others. Thank you.
-
0
Please follow https://github.com/abpframework/abp/pull/19356
-
0
hi
https://github.com/advisories/GHSA-mrr8-v49w-3333
We will upgrade all packages except sweetalert2
-
0
That sounds good! Thank you!