CVE-2022-3517 reported in Trivy scan of cypress version 13.1 and earlier #27766
Comments
|
@gaccardo-slb We’re open to a pull request to update this. We do security scanning ourselves. Most vulnerabilities are not applicable to the way Cypress is executed however. |
|
Hey @gaccardo-slb, If relevant, check out our GitHub repo if you wish to learn more, or start using our app. Please feel free to reach us at [email protected] if you have any requests/questions. |
|
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
|
This issue has been closed due to inactivity. |
Current behavior
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Desired behavior
Upgrade minimatch to version 3.0.5 or later
Test code to reproduce
none
Cypress Version
13.1.0 and earlier
Node version
18.17
Operating System
ubuntu:kinetic
Debug Logs
{ "VulnerabilityID": "CVE-2022-3517", "PkgID": "[email protected]", "PkgName": "minimatch", "PkgPath": "/.cache/Cypress/13.1.0/Cypress/resources/app/node_modules/mocha-7.0.1/node_modules/minimatch/package.json", "InstalledVersion": "3.0.4", "FixedVersion": "3.0.5", "Status": "fixed", "Layer": { "DiffID": "sha256:97140796650ca4add333e8b8d7ddfe0afbf0f4b4d0523cdee7192414312a1068" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3517", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory Npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Title": "ReDoS via the braceExpand function", "Description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2023:0321", "https://access.redhat.com/security/cve/CVE-2022-3517", "https://bugzilla.redhat.com/2066009", "https://bugzilla.redhat.com/2130518", "https://bugzilla.redhat.com/2134609", "https://bugzilla.redhat.com/2140911", "https://bugzilla.redhat.com/show_bug.cgi?id=2066009", "https://bugzilla.redhat.com/show_bug.cgi?id=2130518", "https://bugzilla.redhat.com/show_bug.cgi?id=2134609", "https://bugzilla.redhat.com/show_bug.cgi?id=2140911", "https://bugzilla.redhat.com/show_bug.cgi?id=2142808", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35256", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", "https://errata.almalinux.org/9/ALSA-2023-0321.html", "https://errata.rockylinux.org/RLSA-2023:0321", "https://github.com/grafana/grafana-image-renderer/issues/329", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5)", "https://github.com/nodejs/node/issues/42510", "https://linux.oracle.com/cve/CVE-2022-3517.html", "https://linux.oracle.com/errata/ELSA-2023-1743.html", "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", "https://lists.fedoraproject.org/archives/list/[email protected]/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", "https://lists.fedoraproject.org/archives/list/[email protected]/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", "https://ubuntu.com/security/notices/USN-6086-1", "https://www.cve.org/CVERecord?id=CVE-2022-3517" ], "PublishedDate": "2022-10-17T20:15:00Z", "LastModifiedDate": "2023-07-21T21:04:00Z" }Other
No response
The text was updated successfully, but these errors were encountered: