Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-36632 reported in Trivy scan for flat dependency #27763

Open
gaccardo-slb opened this issue Sep 7, 2023 · 7 comments
Open

CVE-2020-36632 reported in Trivy scan for flat dependency #27763

gaccardo-slb opened this issue Sep 7, 2023 · 7 comments
Labels
prevent-stale mark an issue so it is ignored by stale[bot] type: security 🔐 Security related

Comments

@gaccardo-slb
Copy link

Current behavior

A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0.
This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification
of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely.

Cypress uses version 4.1.1 of this library.

Desired behavior

Upgrading to version 5.0.1 is able to address this issue.

Test code to reproduce

none

Cypress Version

13.1 and earlier

Node version

18.17

Operating System

ubuntu:kinetic

Debug Logs

{
  "VulnerabilityID": "CVE-2020-36632",
  "PkgID": "[email protected]",
  "PkgName": "flat",
  "PkgPath": "/.cache/Cypress/13.1.0/Cypress/resources/app/node_modules/flat/package.json",
  "InstalledVersion": "4.1.1",
  "FixedVersion": "5.0.1",
  "Status": "fixed",
  "Layer": {
	"DiffID": "sha256:97140796650ca4add333e8b8d7ddfe0afbf0f4b4d0523cdee7192414312a1068"
  },
  "SeveritySource": "ghsa",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-36632",
  "DataSource": {
	"ID": "ghsa",
	"Name": "GitHub Security Advisory Npm",
	"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
  },
  "Title": "flat vulnerable to Prototype Pollution",
  "Description": "A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.",
  "Severity": "CRITICAL",
  "CweIDs": [
	"CWE-1321"
  ],
  "CVSS": {
	"ghsa": {
	  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
	  "V3Score": 9.8
	},
	"nvd": {
	  "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
	  "V3Score": 9.8
	}
  },
  "References": [
	"https://github.com/hughsk/flat",
	"https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13",
	"https://github.com/hughsk/flat/issues/105",
	"https://github.com/hughsk/flat/pull/106",
	"https://github.com/hughsk/flat/releases/tag/5.0.1",
	"https://nvd.nist.gov/vuln/detail/CVE-2020-36632",
	"https://vuldb.com/?ctiid.216777",
	"https://vuldb.com/?id.216777"
  ],
  "PublishedDate": "2022-12-25T20:15:00Z",
  "LastModifiedDate": "2023-01-05T02:05:00Z"
}

Other

No response
@nagash77 nagash77 added the type: security 🔐 Security related label Sep 12, 2023
@davidbuchanan davidbuchanan mentioned this issue Sep 24, 2023
Closed
@MikeMcC399 MikeMcC399 mentioned this issue Oct 11, 2023
Closed
@cypress-app-bot
Copy link
Collaborator

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

@cypress-app-bot cypress-app-bot added the stale no activity on this issue for a long period label Mar 11, 2024
@cypress-app-bot
Copy link
Collaborator

This issue has been closed due to inactivity.

@cypress-app-bot cypress-app-bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 25, 2024
@MikeMcC399 MikeMcC399 mentioned this issue Jun 13, 2024
Closed
@MikeMcC399
Copy link
Contributor

To reproduce report use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0

@jennifer-shehane jennifer-shehane added prevent-stale mark an issue so it is ignored by stale[bot] and removed stale no activity on this issue for a long period labels Jun 18, 2024
@MikeMcC399 MikeMcC399 mentioned this issue Jul 3, 2024
Open
@jennifer-shehane
Copy link
Member

yarn why flat

=> Found "[email protected]"
info Has been hoisted to "flat"
info Reasons this module exists
   - "workspace-aggregator-4ccc9eb4-a9ec-4fdb-936a-71b3e9708739" depends on it
   - Hoisted from "_project_#lerna#nx#flat"
   - Hoisted from "_project_#@cypress#webpack-batteries-included-preprocessor#mocha#yargs-unparser#flat"
   - Hoisted from "_project_#@packages#graphql#mocha#yargs-unparser#flat"
   - Hoisted from "_project_#@packages#icons#mocha#yargs-unparser#flat"
   - Hoisted from "_project_#@cypress#puppeteer#mocha#yargs-unparser#flat"
   - Hoisted from "_project_#@cypress#vite-dev-server#mocha#yargs-unparser#flat"
   - Hoisted from "_project_#@cypress#webpack-dev-server#mocha#yargs-unparser#flat"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "yargs-unparser#[email protected]"
info This module exists because "_project_#yargs-unparser" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 1
✨  Done in 1.77s.

@MikeMcC399 MikeMcC399 mentioned this issue Sep 2, 2024
Open
@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Sep 2, 2024
edited
Loading

[email protected] depends on [email protected] which depends on "flat": "^4.1.0".

CVE-2020-36632 requires flat >= 5.0.1 to resolve.

[email protected] updated to [email protected] which in turn depends on on "flat": "^5.0.2". This meets the requirement to resolve CVE-2020-36632.

Therefore an update to >= [email protected] is required to resolve the critical severity vulnerability CVE-2020-36632.

@jennifer-shehane jennifer-shehane changed the title CVE-2020-36632 reported in Trivy scan of cypress version 13.1 and earlier CVE-2020-36632 reported in Trivy scan for flat dependency Oct 1, 2024
@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Nov 4, 2024
edited
Loading

@jennifer-shehane

I don't see this version of flat existing in the 13.5.2 (sic) prerelease of Cypress, maybe I'm missing it somewhere...

On Ubuntu 24.04.1 LTS, Node.js v22.11.0 LTS (x86 processor)

mkdir cy-test
cd cy-test
npm init -y
npm install https://cdn.cypress.io/beta/npm/13.15.2/linux-x64/develop-b0b28d3b0d3cd7977d7d6377d318a603868d11f9/cypress.tgz
cd ~/.cache/Cypress/beta-13.15.2-develop-b0b28d3b/Cypress/resources/app
npm ls flat
[email protected] /home/mike/.cache/Cypress/beta-13.15.2-develop-b0b28d3b/Cypress/resources/app
├── [email protected] extraneous
└─┬ [email protected] extraneous
  └── [email protected] deduped

@jennifer-shehane
Copy link
Member

Yah, mocha. Not sure how I missed that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
prevent-stale mark an issue so it is ignored by stale[bot] type: security 🔐 Security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nagash77 @jennifer-shehane @gaccardo-slb @MikeMcC399 @cypress-app-bot