Advisory #725 inconsistently marks affected versions


(Paul Draper) #1

Advisory #725 states that remediation is upgrading to 3.1.6.

npm audit output states that it is patched in >=3.1.11

And the advisory versions list all versions, including the latest 3.1.14, as affected. npm audit fails 3.1.14 as well.

This is a haphazard way to report security vulns.


(Manishaggarwalm) #2

It says same for me

                   === npm audit security report ===                        
                                                                            
                                                                            
                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance           

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of webpack-dev-server [dev]

Path webpack-dev-server

More info https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 60688 scanned packages


(Giamir Buoncristiani) #3

Any update?
We have red vulnerabilities check pipelines because of this issue.


(Tom Milligan) #4

See here

This appears to be a typo in the npm vulnerability database. Someone has typed "vulnerable_versions":"<=3.110" (rather than <=3.1.10) which is marking all versions as vulnerable. Needs to be fixed upstream by the npm audit team.

Output of yarn audit --json:

{"type":"auditAdvisory","data":{"resolution":{"id":725,"path":"webpack-dev-server","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.1.14","paths":["webpack-dev-server"],"dev":false,"optional":false,"bundled":false}],"id":725,"created":"2018-11-07T17:10:22.191Z","updated":"2018-12-31T18:58:12.106Z","deleted":null,"title":"Missing Origin Validation","found_by":{"link":"https://blog.cal1.cn/link","name":"Jiantao Li"},"reported_by":{"link":"https://blog.cal1.cn/link","name":"Jiantao Li"},"module_name":"webpack-dev-server","cves":["CVE-2018-14732"],"vulnerable_versions":"<=3.110","patched_versions":">=3.1.11","overview":"Versions of `webpack-dev-server` before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.","recommendation":"Update to version 3.1.6 or later.","references":"- [Sniffing Codes in Hot Module Reloading Messages\n](https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages)\n- [GitHub commit](https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10)","access":"public","severity":"high","cwe":"CWE-346","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/725"}}}

(Peter O'shaughnessy) #5

Just to share the news in this thread too, looks like the typo issue has now been resolved: Npm audit sweems to get semver wrong?


(Paul Draper) #6

Indeed; it appears to be fixed. Npm audit sweems to get semver wrong?

9h response time for “bug”.
24hr+ response time for “support”.

Good to know.


(Lars Willighagen) #7

This is expected, quoting the category description:


(Paul Draper) #8

Got it. #bugs is for npm support. #support is for npm community.


(Kat Marchán) #9

well, #bugs for actual, actionable, well-described bugs. #support for questions that the community can answer for you :slight_smile: If you want more support from npm itself, support@npmjs.com is available and reaches our support department, which doesn’t currently participate in npm.community.


(system) #10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.