-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Scan "Vulnerability" CVE-2023-29827 #9867
Comments
…warning Relates to: loopbackio/loopback-next#9867 Signed-off-by: KalleV <kvirtaneva@gmail.com>
I don't know if this is the best approach for this but I wanted to offer some help resolving this one: loopbackio/strong-error-handler#219 |
Thanks for raising the issue, @kyle-apex. Since it's disputed on the merit that it's a misuse of the API to be pssing unsanitised data, it'll be dependent on how I'll see if I can allocate some time to look into this and ger back to you. Thanks for the PR, @KalleV; Much appreciated! Since you've kindly submitted a PR, we can probably proceed with merging the changes (after a quick review by the maintainers) regardless of the exploitability of the vulnerability in From this issue, we should have 2 deliverables:
|
|
…warning Relates to: loopbackio/loopback-next#9867 Signed-off-by: KalleV <kvirtaneva@gmail.com>
…warning Relates to: loopbackio/loopback-next#9867 Signed-off-by: KalleV <kvirtaneva@gmail.com>
…warning Relates to: loopbackio/loopback-next#9867 Signed-off-by: KalleV <kvirtaneva@gmail.com>
…warning Relates to: loopbackio/loopback-next#9867 Signed-off-by: KalleV <kvirtaneva@gmail.com>
Describe the bug
@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.
The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?
Thanks!
Relevant Links:
https://nvd.nist.gov/vuln/detail/CVE-2023-29827
GHSA-j5pp-6f4w-r5r6
mde/ejs#720 (comment)
Logs
No response
Additional information
No response
Reproduction
https://nvd.nist.gov/vuln/detail/CVE-2023-29827
The text was updated successfully, but these errors were encountered: