-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability : pac-resolver #335
Comments
Hi Adhikaripr, Thank you for contacting DocuSign Developer Support. Best regards, |
Hi @OscarGodson, our team has a ticket to address the security vulnerability introduced by pac-resolver and have prioritized the fix in our next sprint. In the meantime, you and can remediate the vulnerability by upgrading pac-resolver to version 5.0.0 or higher. |
We don't use pac resolver so it's not in our package.json so I'm not sure how to upgrade it. |
Hi @OscarGodson , It is actually "superagent-proxy@2.1.0" (in the package.json) whose dependencies (proxy-agent@4.0.1 -> pac-proxy-agent@4.1.0 -> pac-resolver@4.2.0) uses pac-resolver. package.json Let us know if you are happy for us to close this case. Best regards, |
Is there an update regarding the pac-resolver vulnerability. Can we get a status update on the fix? Has it been addressed in the recent sprint as mentioned? Thanks for keeping us informed. |
@annesophien @cbsdsdevsup this seems like a pretty straight forward fix. But it looks like the pac-resolver fix was deployed and then rolled back. Do you have an update on what's going on here? It's taken 3 months to resolve which is a little disconcerting. |
It seems that this was fixed on 6.3.0 and is back on 6.5.1. |
Introduced through: docusign-esign@6.4.0 › superagent-proxy@2.1.0 › proxy-agent@4.0.1 › pac-proxy-agent@4.1.0 › pac-resolver@4.2.0
Overview
Affected versions of this package are vulnerable to Remote Code Execution (RCE). This can occur when used with untrusted input, due to unsafe PAC file handling.
In order to exploit this vulnerability in practice, this either requires an attacker on your local network, a specific vulnerable configuration, or some second vulnerability that allows an attacker to set your config values.
https://security.snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
Remediation
Upgrade pac-resolver to version 5.0.0 or higher.
The text was updated successfully, but these errors were encountered: