A high severity vulnerability introduced in your package #337
Assignees
Labels
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Comments
|
@paimon0715 thanks! Is this an automated report? For security issues, in the future, please have a look at our security policy and reporting guidelines: |
chingor13
added
priority: p1
gcf-merge-on-green bot
pushed a commit
that referenced
this issue
Jul 20, 2021
🤖 I have created a release \*beep\* \*boop\* --- ### [2.0.5](https://www.github.com/googleapis/google-p12-pem/compare/v2.0.4...v2.0.5) (2021-07-20) ### Bug Fixes * **deps:** update node-forge to 0.10.0 ([#341](https://www.github.com/googleapis/google-p12-pem/issues/341)) ([201f9c3](https://www.github.com/googleapis/google-p12-pem/commit/201f9c3405a14633c35b99b1f14e3e89db6b6aae)), closes [#297](https://www.github.com/googleapis/google-p12-pem/issues/297) [#337](https://www.github.com/googleapis/google-p12-pem/issues/337) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
|
@JustinBeckwith This is not a bot. Thank you so much for your help! @chingor13 @JustinBeckwith |
|
We backported the dependency bump into 1.0.5 and 2.0.5 and released them to npm. |
This was referenced Jul 30, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi ,@JustinBeckwith, I’d like to report a high severity vulnerability in your package google-p12-pem:
Issue Description
A vulnerability CVE-2020-7720 (high severity) detected in package node-forge<0.10.0 is directly referenced by google-p12-pem@2.0.4 and @1.0.4. We noticed that such a vulnerability has been removed since google-p12-pem@3.0.3.
However, google-p12-pem's popular previous versions google-p12-pem@2.0.4 (428,436 downloads per week) and google-p12-pem@1.0.4 (464,605 downloads per week) are still transitively referenced by a large amount of latest versions of active and popular downstream projects.Taking google-p12-pem@2.0.4 as an example ,there are about 1,260 downstream projects, e.g., @blossm/cli 0.0.1837, psi 4.1.0, @sentrei/common 1.131.0, @firebaseextensions/firestore-bigquery-change-tracker 1.1.12, @sentrei/web 1.131.0, @blossm/cli@0.0.1837, @fonos/sdk@0.1.8-alpha.0, botium-connector-google-assistant@0.0.8, etc..
As such, issue CVE-2020-7720 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade google-p12-pem from version 2.0.4 or 1.0.4 to 3.*.* . For instance, google-p12-pem@2.0.4 and @1.0.4 are introduced into the above projects via the following package dependency paths:
(1)
@blossm/cli@0.0.1837 ➔ @blossm/gcp-secret@0.0.55 ➔ @blossm/gcp-storage@0.0.11 ➔ @google-cloud/storage@3.5.0 ➔ @google-cloud/common@2.4.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2(2)
@fonos/sdk@0.1.8-alpha.0 ➔ @fonos/funcs@0.1.8-alpha.0 ➔ container-image-builder@3.2.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2(3)
botium-connector-google-assistant@0.0.8 ➔ actions-on-google-testing@0.4.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2(4)
@backstage/plugin-techdocs-backend@0.8.6 ➔ @backstage/techdocs-common@0.6.7 ➔ pkgcloud@2.2.0 ➔ @google-cloud/storage@2.5.0 ➔ @google-cloud/common@0.32.1 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5(5)
@backstage/techdocs-common@0.6.7 ➔ pkgcloud@2.2.0 ➔ @google-cloud/storage@2.5.0 ➔ @google-cloud/common@0.32.1 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5......
The projects such as @blossm/gcp-storage, container-image-builder, actions-on-google-testing and pkgcloud etc. which introduced google-p12-pem@2.0.4 or @1.0.4, are not maintained anymore. These unmaintained packages can neither upgrade google-p12-pem nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from packages google-p12-pem@2.0.4 and @1.0.4?
Suggested Solution
Since these unactive projects set a version constaint ~2.0. or ~1.0.** for google-p12-pem on the vulnerable dependency paths, if google-p12-pem removes the vulnerability from @2.0.4 and @1.0.4 and releases new patched versions google-p12-pem@2.0.5 and google-p12-pem@1.0.5, such a vulnerability patch can be automatically propagated into the affected downstream projects.
In google-p12-pem@2.0.5, you can kindly try to perform the following upgrade:
node-forge ^0.9.0 ➔ ^0.10.0;Note:
node-forge@0.10.0 (>=0.10.0) has fixed the vulnerability CVE-2020-7720
In google-p12-pem@1.0.5, you can kindly try to perform the following upgrade:
node-forge ^0.8.0 ➔ ^0.10.0;Note:
node-forge@0.10.0 (>=0.10.0) has fixed the vulnerability CVE-2020-7720
Thank you for your contributions.
Sincerely yours,
Paimon
The text was updated successfully, but these errors were encountered: