Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-44906 found on trivy scan for minimist dependency #28209

Open
eagle-txec opened this issue Nov 1, 2023 · 12 comments
Open

CVE-2021-44906 found on trivy scan for minimist dependency #28209

eagle-txec opened this issue Nov 1, 2023 · 12 comments
Labels
type: security 🔐 Security related

Comments

@eagle-txec
Copy link

Current behavior

Installed version is 0.0.8

Desired behavior

Upgrade fix version is 1.2.6

Test code to reproduce

Cypress Version

13.3.3

Node version

16.20.2

Operating System

Debug Logs

"VulnerabilityID": "CVE-2021-44906",
          "InstalledVersion": "0.0.8",
          "LastModifiedDate": "2022-04-12T16:52:00Z"
        },
        {
          "CVSS": {
            "nvd": {
              "V2Score": 7.5,
              "V3Score": 9.8,
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "ghsa": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            }
          },
          "Layer": {
            "DiffID": "sha256:e2ddedde812d03ee158150d58a19d4458068fc655e610b0b0e3e95b10b30c6af"
          },
          "PkgID": "[email protected]",
          "Title": "prototype pollution",
          "CweIDs": [
            "CWE-1321"
          ],
          "Status": "fixed",
          "PkgName": "minimist",
          "PkgPath": "src/.artifacts/.cache/Cypress/13.3.3/Cypress/resources/app/node_modules/mocha-7.0.1/node_modules/minimist/package.json",
          "Severity": "CRITICAL",
          "DataSource": {
            "ID": "ghsa",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm",
            "Name": "GitHub Security Advisory npm"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-44906",
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:0321",
            "https://access.redhat.com/security/cve/CVE-2021-44906",
            "https://bugzilla.redhat.com/2066009",
            "https://bugzilla.redhat.com/2130518",
            "https://bugzilla.redhat.com/2134609",
            "https://bugzilla.redhat.com/2140911",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2066009",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2130518",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2134609",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2140911",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2142808",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548",
            "https://errata.almalinux.org/9/ALSA-2023-0321.html",
            "https://errata.rockylinux.org/RLSA-2023:0321",
            "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip",
            "https://github.com/advisories/GHSA-xvch-5gv4-984h",
            "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703",
            "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb",
            "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d",
            "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11",
            "https://github.com/minimistjs/minimist/commits/v0.2.4",
            "https://github.com/minimistjs/minimist/issues/11",
            "https://github.com/minimistjs/minimist/pull/24",
            "https://github.com/substack/minimist",
            "https://github.com/substack/minimist/blob/master/index.js#L69",
            "https://github.com/substack/minimist/issues/164",
            "https://linux.oracle.com/cve/CVE-2021-44906.html",
            "https://linux.oracle.com/errata/ELSA-2023-0321.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
            "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764",
            "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068",
            "https://www.cve.org/CVERecord?id=CVE-2021-44906"
          ],
          "Description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).",
          "FixedVersion": "1.2.6, 0.2.4",
          "PublishedDate": "2022-03-17T16:15:00Z",

Other

No response
@eagle-txec eagle-txec changed the title CVE-2021-44906 CVE-2021-44906 found on trivy scan cypress version is 13.3.3 Nov 1, 2023
@levpachmanov
Copy link

Hey @eagle-txec,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an minimatch 3.0.4-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

@shank1290
Copy link

shank1290 commented May 16, 2024
edited
Loading

The issue exists with 13.7.3 as well
---------------------+
| minimist | CVE-2021-44906 | curent version - 0.0.8 | fixed - 1.2.6, 0.2.4 | minimist: prototype pollution | -->avd.aquasec.com/nvd/cve-2021-44906 |

@MikeMcC399
Copy link
Contributor

To reproduce report, use for example:

trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0

@jennifer-shehane
Copy link
Member

From yarn why

 yarn why minimist
yarn why v1.22.19
[1/4] 🤔  Why do we have the module "minimist"...?
[2/4] 🚚  Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "[email protected]"
warning Resolution field "[email protected]" is incompatible with requested version "pretty-format@^27.0.2"
warning Resolution field "[email protected]" is incompatible with requested version "vue-template-compiler@^2.7.14"
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "minimist"
info Reasons this module exists
   - "workspace-aggregator-199e8a63-af5b-4011-b122-b173c4ba507f" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#minimist"
   - Hoisted from "_project_#@packages#electron#minimist"
   - Hoisted from "_project_#@packages#server#minimist"
   - Hoisted from "_project_#check-dependencies#minimist"
   - Hoisted from "_project_#patch-package#minimist"
   - Hoisted from "_project_#prebuild-install#minimist"
   - Hoisted from "_project_#mkdirp#minimist"
   - Hoisted from "_project_#@electron#fuses#minimist"
   - Hoisted from "_project_#autobarrel#minimist"
   - Hoisted from "_project_#http-server#minimist"
   - Hoisted from "_project_#tsconfig-paths#minimist"
   - Hoisted from "_project_#cypress#minimist"
   - Hoisted from "_project_#http-server#ecstatic#minimist"
   - Hoisted from "_project_#@tooling#v8-snapshot#cpr#minimist"
   - Hoisted from "_project_#@cypress#webpack-preprocessor#dependency-check#minimist"
   - Hoisted from "_project_#cypress#dependency-check#minimist"
   - Hoisted from "_project_#loader-utils#json5#minimist"
   - Hoisted from "_project_#tsconfig-paths#json5#minimist"
   - Hoisted from "_project_#@packages#frontend-shared#patch-package#minimist"
   - Hoisted from "_project_#prebuild-install#rc#minimist"
   - Hoisted from "_project_#lerna#strong-log-transformer#minimist"
   - Hoisted from "_project_#@packages#server#tsconfig-paths#minimist"
   - Hoisted from "_project_#@packages#server#firefox-profile#minimist"
   - Hoisted from "_project_#cypress#dependency-check#detective#minimist"
   - Hoisted from "_project_#electron-builder#app-builder-lib#electron-osx-sign#minimist"
   - Hoisted from "_project_#@packages#server#better-sqlite3#prebuild-install#minimist"
   - Hoisted from "_project_#@packages#electron#electron-packager#@electron#osx-sign#minimist"
   - Hoisted from "_project_#lerna#nx#tsconfig-paths#minimist"
   - Hoisted from "_project_#semantic-release#@semantic-release#release-notes-generator#conventional-changelog-writer#handlebars#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "stop-only#[email protected]"
info This module exists because "_project_#stop-only" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "snap-shot-core#[email protected]"
info Reasons this module exists
   - "_project_#snap-shot-core#mkdirp" depends on it
   - Hoisted from "_project_#snap-shot-core#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha#[email protected]"
info Reasons this module exists
   - "_project_#mocha#mkdirp" depends on it
   - Hoisted from "_project_#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "deps-ok#[email protected]"
info This module exists because "_project_#@cypress#webpack-preprocessor#deps-ok" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "bower-config#[email protected]"
info This module exists because "_project_#check-dependencies#bower-config" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha-7.0.1#[email protected]"
info Reasons this module exists
   - "_project_#@packages#server#mocha-7.0.1#mkdirp" depends on it
   - Hoisted from "_project_#@packages#server#mocha-7.0.1#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/example#[email protected]"
info Reasons this module exists
   - "_project_#@packages#example#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#example#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "cypress#mkdirp#[email protected]"
info This module exists because "_project_#cypress#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/network#[email protected]"
info Reasons this module exists
   - "_project_#@packages#network#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#network#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/config#[email protected]"
info Reasons this module exists
   - "_project_#@packages#config#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/data-context#[email protected]"
info Reasons this module exists
   - "_project_#@packages#data-context#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#data-context#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#[email protected]"
info Reasons this module exists
   - "_project_#@packages#driver#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#driver#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/errors#[email protected]"
info Reasons this module exists
   - "_project_#@packages#errors#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#errors#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/packherd-require#[email protected]"
info Reasons this module exists
   - "_project_#@packages#packherd-require#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#packherd-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/scaffold-config#[email protected]"
info Reasons this module exists
   - "_project_#@packages#scaffold-config#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#scaffold-config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/telemetry#[email protected]"
info Reasons this module exists
   - "_project_#@packages#telemetry#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#telemetry#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/v8-snapshot-require#[email protected]"
info Reasons this module exists
   - "_project_#@packages#v8-snapshot-require#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@packages#v8-snapshot-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/electron-mksnapshot#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#electron-mksnapshot#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#electron-mksnapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/packherd#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#packherd#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#packherd#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/v8-snapshot#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#v8-snapshot#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#v8-snapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/server#mkdirp#[email protected]"
info This module exists because "_project_#@packages#server#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/system-tests#[email protected]"
info Reasons this module exists
   - "_project_#@tooling#system-tests#mocha#mkdirp" depends on it
   - Hoisted from "_project_#@tooling#system-tests#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#multer#[email protected]"
info Reasons this module exists
   - "_project_#@packages#driver#multer#mkdirp" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#@packages#driver#multer#mkdirp#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "optimist#[email protected]"
info This module exists because "_project_#@fellow#eslint-plugin-coffee#@fellow#coffeelint2#optimist" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "resize-img#[email protected]"
info Reasons this module exists
   - "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp" depends on it
   - Hoisted from "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
✨  Done in 2.13s.

@hjqgloria
Copy link

Hi, installed the latest cypress/included:13.13.0 and still critical security vulnerability
image
image
Command: RUN |6 NODE_VERSION=20.14.0 YARN_VERSION=1.22.22 CHROME_VERSION=126.0.6478.114-1 EDGE_VERSION=126.0.2592.61-1 FIREFOX_VERSION=127.0.1 CYPRESS_VERSION=13.13.0 /bin/sh -c node /opt/installScripts/cypress/install-cypress-version.js ${CYPRESS_VERSION} # buildkit

@jennifer-shehane
Copy link
Member

We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.

@jennifer-shehane jennifer-shehane added the type: security 🔐 Security related label Jul 3, 2024
@hjqgloria
Copy link

We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.

Ok, how about the other 3 critical? Will they be fixed or the same case as minimist? Or we need to open new issues?
image

@MikeMcC399
Copy link
Contributor

@hjqgloria

The other issues have already been reported.

@jennifer-shehane jennifer-shehane changed the title CVE-2021-44906 found on trivy scan cypress version is 13.3.3 CVE-2021-44906 found on trivy scan for minimist dependency Oct 1, 2024
@MikeMcC399
Copy link
Contributor

MikeMcC399 commented Nov 1, 2024
edited
Loading

@hjqgloria

Two of the vulnerabilities you listed have now been fixed.

Current status for cypress/included:13.15.1

$ trivy image --ignore-unfixed --pkg-types library --scanners vuln --severity CRITICAL cypress/included

Node.js (node-pkg)

Total: 2 (CRITICAL: 2)

┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ flat (package.json)     │ CVE-2020-36632 │ CRITICAL │ fixed  │ 4.1.1             │ 5.0.1         │ flat vulnerable to Prototype Pollution     │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-36632 │
├─────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────┤
│ minimist (package.json) │ CVE-2021-44906 │          │        │ 0.0.8             │ 1.2.6, 0.2.4  │ minimist: prototype pollution              │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-44906 │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

@jennifer-shehane
Copy link
Member

@MikeMcC399 I don't see this version of flat existing in the 13.5.2 prerelease of Cypress, maybe I'm missing it somewhere...

@jennifer-shehane jennifer-shehane mentioned this issue Nov 4, 2024
Merged
1 task
@MikeMcC399 MikeMcC399 mentioned this issue Nov 4, 2024
Open
@MikeMcC399
Copy link
Contributor

@jennifer-shehane

I don't see this version of flat existing in the 13.5.2 prerelease of Cypress, maybe I'm missing it somewhere...

-Since this issue is about minimist I answered instead in #27763 (comment) in detail. [email protected] is included in the Cypress binary 13.15.2 pre-release.

@jennifer-shehane
Copy link
Member

#30546 will remove some old minimist versions, but not all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: security 🔐 Security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jennifer-shehane @levpachmanov @hjqgloria @shank1290 @MikeMcC399 @eagle-txec