Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Scan "Vulnerability" CVE-2023-29827 #9867

Open
kyle-apex opened this issue Aug 16, 2023 · 3 comments
Open

Security Scan "Vulnerability" CVE-2023-29827 #9867

kyle-apex opened this issue Aug 16, 2023 · 3 comments
Labels
bug

Comments

@kyle-apex
Copy link
Contributor

Describe the bug

@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.

The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?

Thanks!

Relevant Links:
https://nvd.nist.gov/vuln/detail/CVE-2023-29827
GHSA-j5pp-6f4w-r5r6
mde/ejs#720 (comment)

Logs

No response

Additional information

No response

Reproduction

https://nvd.nist.gov/vuln/detail/CVE-2023-29827
@kyle-apex kyle-apex added the bug label Aug 16, 2023
KalleV added a commit to KalleV/strong-error-handler that referenced this issue Aug 25, 2023
@KalleV
fix(cve-2023-29827): replace EJS with Handlebars to resolve security …
92d22b3 
…warning

Relates to: loopbackio/loopback-next#9867

Signed-off-by: KalleV <kvirtaneva@gmail.com>
@KalleV KalleV mentioned this issue Aug 25, 2023
Merged
2 tasks
@KalleV
Copy link
Contributor

KalleV commented Aug 25, 2023

I don't know if this is the best approach for this but I wanted to offer some help resolving this one: loopbackio/strong-error-handler#219

@achrinza
Copy link
Member

achrinza commented Aug 28, 2023
edited

Thanks for raising the issue, @kyle-apex. Since it's disputed on the merit that it's a misuse of the API to be pssing unsanitised data, it'll be dependent on how strong-error-handler uses the API.

I'll see if I can allocate some time to look into this and ger back to you.

Thanks for the PR, @KalleV; Much appreciated! Since you've kindly submitted a PR, we can probably proceed with merging the changes (after a quick review by the maintainers) regardless of the exploitability of the vulnerability in strong-error-handler.

From this issue, we should have 2 deliverables:

  1. A VEX document (CSAF 2.0) detailing the exploitability - To be published under https://github.com/loopbackio/security
  2. Merging fix(cve-2023-29827): replace EJS with Handlebars to resolve security warning strong-error-handler#219

@ASISBusiness
Copy link

Describe the bug

@loopback/rest triggers a critical security vulnerability due to strong-error-handler's dependency on ejs.

The vulnerability is currently disputed by ejs, but does the Loopback team have an official statement/documentation as to why this isn't a vulnerability in Loopback's usage of ejs or a plan to remove ejs entirely?

Thanks!

Relevant Links:

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

GHSA-j5pp-6f4w-r5r6

mde/ejs#720 (comment)

Logs

No response

Additional information

No response

Reproduction

https://nvd.nist.gov/vuln/detail/CVE-2023-29827

KalleV added a commit to KalleV/strong-error-handler that referenced this issue Sep 1, 2023
@KalleV
fix(cve-2023-29827): replace EJS with Handlebars to resolve security …
37fefdc 
…warning

Relates to: loopbackio/loopback-next#9867

Signed-off-by: KalleV <kvirtaneva@gmail.com>
KalleV added a commit to KalleV/strong-error-handler that referenced this issue Nov 8, 2023
@KalleV
fix(cve-2023-29827): replace EJS with Handlebars to resolve security …
7220058 
…warning

Relates to: loopbackio/loopback-next#9867

Signed-off-by: KalleV <kvirtaneva@gmail.com>
KalleV added a commit to KalleV/strong-error-handler that referenced this issue Nov 9, 2023
@KalleV
fix(cve-2023-29827): replace EJS with Handlebars to resolve security …
374f0a7 
…warning

Relates to: loopbackio/loopback-next#9867

Signed-off-by: KalleV <kvirtaneva@gmail.com>
achrinza pushed a commit to loopbackio/strong-error-handler that referenced this issue Nov 12, 2023
@KalleV @achrinza
fix(cve-2023-29827): replace EJS with Handlebars to resolve security …
5b6c6cd 
…warning

Relates to: loopbackio/loopback-next#9867

Signed-off-by: KalleV <kvirtaneva@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KalleV @kyle-apex @achrinza @ASISBusiness