New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-37614: Critical Vulnerability in mockery module #955
Comments
Hi @luxaflow thank you for reporting this issue, this is currently being worked on. |
any updates on this? Security team of one of our customers is demanding us to upgrade our library with the patched version of mockery. |
@maksimu mockery is only used for testing, so none of its exports will see prod. Also, the task does not use the vulnerable component of that library anyways. |
@joshftb Two weeks ago this was given the 'triage' label and then removed. Your latest response indicates that this vulnerability may not be exploitable, yet the issue remains 'Open.' Please advise if Microsoft is planning to update their references to use the newest version of mockery that is not vulnerable (according to SNYK there are no 'next non-vulnerable versions') or plans to close this issue. |
Team, Any updates on this? If the task doesn't use the vulnerable component, Can you please advise why this issue is not closed? We need to respond back to our Security team about the status of this issue. |
@Vertex-btb, @rajarajan2801 Mockery is indeed used only for testing. This issue is not closed, as we're preparing a replacement, and it's not merged yet. |
Hi, any updates on this?. I have a task created and I depends on solve this issue to be able to deploy it. Thanks |
hi :) |
Compatibility checks with the existing tasks in the azure-pipelines-tasks and introduction of the node20 handler and other priorities. Merging this pull request has consequences beyond this library. |
This issue has had no activity in 90 days. Please comment if it is not actually stale |
not stale :) |
Any update on this issue? |
As far as I can tell, this has merged: |
Thanks jesse. |
This issue has had no activity in 90 days. Please comment if it is not actually stale |
Please check our current Issues to see if someone already reported this https://github.com/Microsoft/azure-pipelines-task-lib/issues
Environment
azure-pipelines-task-lib version: 4.4.0
Issue Description
These is a critical vulnerability in mfncooper/mocker 2.1.0 module used.
Expected behaviour
No issues when used, but also no critical security CVE's in used in modules
Actual behaviour
Currently critical security CVE in mfncooper/mockery module
https://nvd.nist.gov/vuln/detail/CVE-2022-37614
Steps to reproduce
N/A
Logs
Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-37614
The text was updated successfully, but these errors were encountered: