Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: high] Upgrade Watchify (Due 7/05/24) #6321

Closed
1 task
tmpayton opened this issue Jun 5, 2024 · 1 comment
Closed
1 task

[Snyk: high] Upgrade Watchify (Due 7/05/24) #6321

tmpayton opened this issue Jun 5, 2024 · 1 comment
Assignees
@rfultz
Labels
Security: high Remediate within 30 days
Milestone
25.4

Comments

@tmpayton
Copy link
Contributor

tmpayton commented Jun 5, 2024
edited by cnlucas
Loading

Overview
Affected versions of this package are vulnerable to Prototype Pollution via the unset function in index.js, because it allows access to object prototype properties.

Details
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

Unsafe Object recursive merge

Property definition by path

Completion Criteria

  • Upgrade watchify to v4 if easy [This is only a dev dependency--will not effect external users]
@tmpayton tmpayton added the Security: high Remediate within 30 days label Jun 5, 2024
@tmpayton tmpayton added this to the 25.3 milestone Jun 5, 2024
@tmpayton tmpayton mentioned this issue Jun 5, 2024
Closed
3 tasks
@patphongs patphongs moved this to 🔨 Pre-refinement in Website project Jun 6, 2024
@cnlucas cnlucas moved this from 🔨 Pre-refinement to 🔜 Sprint backlog in Website project Jun 6, 2024
@cnlucas cnlucas moved this from 🔜 Sprint backlog to 📥 Assigned in Website project Jun 11, 2024
@pkfec pkfec mentioned this issue Jun 12, 2024
Closed
2 tasks
@pkfec pkfec mentioned this issue Jun 20, 2024
Closed
3 tasks
@johnnyporkchops johnnyporkchops modified the milestones: 25.3, 25.4 Jun 25, 2024
This was referenced Jun 26, 2024
Closed
Closed
@johnnyporkchops
Copy link
Contributor

johnnyporkchops commented Jul 9, 2024
edited
Loading

This will be resolved with changes related to the upcoming WebPack upgrade.. Since these are dev dependencies, it's not really a high threat as we don't run it in our built environments.
The security team has been notified and approves our temporary acceptance of the reported vulnerability given mitigating factors mentioned above.

@github-project-automation github-project-automation bot moved this from 📥 Assigned to ✅ Done in Website project Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
Security: high Remediate within 30 days
Projects
Website project
Status: ✅ Done
Milestone
25.4
Development

No branches or pull requests
3 participants
@johnnyporkchops @rfultz @tmpayton