Ends in:
7 DAYS
21 HRS
50 MIN
59 SEC
Ends in:
7 D
21 H
50 M
59 S
Open Closed

Vulnerabilities & Dependabot alerts #6905


User avatar
0
auxo-devsu created
  • ABP Framework version: v8.0.0
  • UI Type: MVC
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): separated

Hi,

Over the last 11 months, we've been using ABP, and we are happy about it. However, I have been ignoring some key security alerts emitted by GitHub Dependabot and I'd like to know if the ABP team is currently using something along the lines and, also, when there will be an update to the following vulnerabilities:

HIGH

  • uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) via IPv4-mapped IPv6 addresses.
    • @volo/account@8.0.0 requires uppy@^1.16.1 via @abp/uppy@8.0.0.
    • Patched version is 2.3.3
  • This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
    • @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0
    • Patched version is 5.1.2

MEDIUM

  • ReDoS in Sec-Websocket-Protocol header - A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
    • @volo/account@8.0.0 requires ws@~6.1.0 via a transitive dependency on engine.io-client@3.3.3
    • The earliest fixed version is 6.2.2.

LOW

  • sweetalert2 v11.6.14 and above contains potentially undesirable behavior - sweetalert2 versions 11.6.14 and above have potentially undesirable behavior. The package outputs audio and/or video messages that do not pertain to the functionality of the package when run on specific tlds. This functionality is documented on the project's readme

Please, let me know how I can ensure my apps are up-to-date and compliant with the latest security standards. Thanks!


5 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    We have fixed the uppy in 8.1

    https://support.abp.io/QA/Questions/6369/Front-end-package-vulnerability-uppy

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    I will check others. Thank you.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Please follow https://github.com/abpframework/abp/pull/19356

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    https://github.com/advisories/GHSA-mrr8-v49w-3333

    We will upgrade all packages except sweetalert2

  • User Avatar
    0
    auxo-devsu created

    That sounds good! Thank you!

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06