Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): force ansi-html > 0.0.8 - CVE-2021-23424 #1920

Closed
petermetz opened this issue Mar 14, 2022 · 0 comments · Fixed by #1921
Closed

fix(security): force ansi-html > 0.0.8 - CVE-2021-23424 #1920

petermetz opened this issue Mar 14, 2022 · 0 comments · Fixed by #1921
Assignees
Labels
dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities

Comments

@petermetz
Copy link
Contributor

Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses
CWE-400
CVE ID
CVE-2021-23424
GHSA ID
GHSA-whgm-jr23-g3j9

Dependabot cannot update ansi-html to a non-vulnerable version
The latest possible version of ansi-html that can be installed is 0.0.7.

The earliest fixed version is 0.0.8.

Package
Affected versions
Patched version
ansi-html
(npm)
< 0.0.8
0.0.8
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Assignees:
Labels:

@petermetz petermetz self-assigned this Mar 14, 2022
@petermetz petermetz added dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities P1 Priority 1: Highest labels Mar 14, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Mar 14, 2022
petermetz added a commit to petermetz/cacti that referenced this issue Mar 15, 2022
petermetz added a commit that referenced this issue Mar 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file P1 Priority 1: Highest Security Related to existing or potential security vulnerabilities
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant