github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v3.1.5/argocd-test.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="9 known vulnerabilities found in 29 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:24:09 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">/argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)</li> 496 <li class="paths">/argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)</li> 497 <li class="paths">/argo-cd/ui/yarn.lock (yarn)</li> 498 </ul> 499 </div> 500 501 <div class="meta-counts"> 502 <div class="meta-count"><span>9</span> <span>known vulnerabilities</span></div> 503 <div class="meta-count"><span>29 vulnerable dependency paths</span></div> 504 <div class="meta-count"><span>2103</span> <span>dependencies</span></div> 505 </div><!-- .meta-counts --> 506 </div><!-- .layout-container--short --> 507 </header><!-- .project__header --> 508 </div><!-- .layout-stacked__header --> 509 510 <div class="layout-container" style="padding-top: 35px;"> 511 <div class="cards--vuln filter--patch filter--ignore"> 512 <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> 513 <h2 class="card__title">Predictable Value Range from Previous Values</h2> 514 <div class="card__section"> 515 516 <div class="card__labels"> 517 <div class="label label--critical"> 518 <span class="label__text">critical severity</span> 519 </div> 520 </div> 521 522 <hr/> 523 524 <ul class="card__meta"> 525 <li class="card__meta__item"> 526 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 527 </li> 528 <li class="card__meta__item"> 529 Package Manager: npm 530 </li> 531 <li class="card__meta__item"> 532 Vulnerable module: 533 534 form-data 535 </li> 536 537 <li class="card__meta__item">Introduced through: 538 539 540 argo-cd-ui@1.0.0, superagent@8.1.2 and others 541 </li> 542 </ul> 543 544 <hr/> 545 546 547 <h3 class="card__section__title">Detailed paths</h3> 548 549 <ul class="card__meta__paths"> 550 <li> 551 <span class="list-paths__item__introduced"><em>Introduced through</em>: 552 argo-cd-ui@1.0.0 553 <span class="list-paths__item__arrow">›</span> 554 superagent@8.1.2 555 <span class="list-paths__item__arrow">›</span> 556 form-data@4.0.0 557 558 </span> 559 560 </li> 561 </ul><!-- .list-paths --> 562 563 </div><!-- .card__section --> 564 565 <hr/> 566 <!-- Overview --> 567 <h2 id="overview">Overview</h2> 568 <p>Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the <code>boundary</code> value, which uses <code>Math.random()</code>. An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.</p> 569 <h2 id="remediation">Remediation</h2> 570 <p>Upgrade <code>form-data</code> to version 2.5.4, 3.0.4, 4.0.4 or higher.</p> 571 <h2 id="references">References</h2> 572 <ul> 573 <li><a href="https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0">GitHub Commit</a></li> 574 <li><a href="https://github.com/form-data/form-data/commit/b88316c94bb004323669cd3639dc8bb8262539eb">GitHub Commit</a></li> 575 <li><a href="https://github.com/form-data/form-data/commit/c6ced61d4fae8f617ee2fd692133ed87baa5d0fd">GitHub Commit</a></li> 576 <li><a href="https://github.com/benweissmann/CVE-2025-7783-poc">POC</a></li> 577 <li><a href="https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347">Vulnerable Code</a></li> 578 </ul> 579 580 <hr/> 581 582 <div class="cta card__cta"> 583 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150">More about this vulnerability</a></p> 584 </div> 585 586 </div><!-- .card --> 587 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 588 <h2 class="card__title">MPL-2.0 license</h2> 589 <div class="card__section"> 590 591 <div class="card__labels"> 592 <div class="label label--medium"> 593 <span class="label__text">medium severity</span> 594 </div> 595 </div> 596 597 <hr/> 598 599 <ul class="card__meta"> 600 <li class="card__meta__item"> 601 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 602 </li> 603 <li class="card__meta__item"> 604 Package Manager: golang 605 </li> 606 <li class="card__meta__item"> 607 Module: 608 609 github.com/r3labs/diff/v3 610 </li> 611 612 <li class="card__meta__item">Introduced through: 613 614 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.1 615 616 </li> 617 </ul> 618 619 <hr/> 620 621 622 <h3 class="card__section__title">Detailed paths</h3> 623 624 <ul class="card__meta__paths"> 625 <li> 626 <span class="list-paths__item__introduced"><em>Introduced through</em>: 627 github.com/argoproj/argo-cd/v3@0.0.0 628 <span class="list-paths__item__arrow">›</span> 629 github.com/r3labs/diff/v3@3.0.1 630 631 </span> 632 633 </li> 634 </ul><!-- .list-paths --> 635 636 </div><!-- .card__section --> 637 638 <hr/> 639 <!-- Overview --> 640 <p>MPL-2.0 license</p> 641 642 <hr/> 643 644 <div class="cta card__cta"> 645 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:v3:MPL-2.0">More about this vulnerability</a></p> 646 </div> 647 648 </div><!-- .card --> 649 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 650 <h2 class="card__title">MPL-2.0 license</h2> 651 <div class="card__section"> 652 653 <div class="card__labels"> 654 <div class="label label--medium"> 655 <span class="label__text">medium severity</span> 656 </div> 657 </div> 658 659 <hr/> 660 661 <ul class="card__meta"> 662 <li class="card__meta__item"> 663 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 664 </li> 665 <li class="card__meta__item"> 666 Package Manager: golang 667 </li> 668 <li class="card__meta__item"> 669 Module: 670 671 github.com/hashicorp/go-version 672 </li> 673 674 <li class="card__meta__item">Introduced through: 675 676 677 github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.21.0 and others 678 </li> 679 </ul> 680 681 <hr/> 682 683 684 <h3 class="card__section__title">Detailed paths</h3> 685 686 <ul class="card__meta__paths"> 687 <li> 688 <span class="list-paths__item__introduced"><em>Introduced through</em>: 689 github.com/argoproj/argo-cd/v3@0.0.0 690 <span class="list-paths__item__arrow">›</span> 691 code.gitea.io/sdk/gitea@0.21.0 692 <span class="list-paths__item__arrow">›</span> 693 github.com/hashicorp/go-version@1.7.0 694 695 </span> 696 697 </li> 698 </ul><!-- .list-paths --> 699 700 </div><!-- .card__section --> 701 702 <hr/> 703 <!-- Overview --> 704 <p>MPL-2.0 license</p> 705 706 <hr/> 707 708 <div class="cta card__cta"> 709 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 710 </div> 711 712 </div><!-- .card --> 713 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 714 <h2 class="card__title">MPL-2.0 license</h2> 715 <div class="card__section"> 716 717 <div class="card__labels"> 718 <div class="label label--medium"> 719 <span class="label__text">medium severity</span> 720 </div> 721 </div> 722 723 <hr/> 724 725 <ul class="card__meta"> 726 <li class="card__meta__item"> 727 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 728 </li> 729 <li class="card__meta__item"> 730 Package Manager: golang 731 </li> 732 <li class="card__meta__item"> 733 Module: 734 735 github.com/hashicorp/go-retryablehttp 736 </li> 737 738 <li class="card__meta__item">Introduced through: 739 740 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.7 741 742 </li> 743 </ul> 744 745 <hr/> 746 747 748 <h3 class="card__section__title">Detailed paths</h3> 749 750 <ul class="card__meta__paths"> 751 <li> 752 <span class="list-paths__item__introduced"><em>Introduced through</em>: 753 github.com/argoproj/argo-cd/v3@0.0.0 754 <span class="list-paths__item__arrow">›</span> 755 github.com/hashicorp/go-retryablehttp@0.7.7 756 757 </span> 758 759 </li> 760 <li> 761 <span class="list-paths__item__introduced"><em>Introduced through</em>: 762 github.com/argoproj/argo-cd/v3@0.0.0 763 <span class="list-paths__item__arrow">›</span> 764 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 765 <span class="list-paths__item__arrow">›</span> 766 github.com/hashicorp/go-retryablehttp@0.7.7 767 768 </span> 769 770 </li> 771 <li> 772 <span class="list-paths__item__introduced"><em>Introduced through</em>: 773 github.com/argoproj/argo-cd/v3@0.0.0 774 <span class="list-paths__item__arrow">›</span> 775 gitlab.com/gitlab-org/api/client-go@0.130.1 776 <span class="list-paths__item__arrow">›</span> 777 github.com/hashicorp/go-retryablehttp@0.7.7 778 779 </span> 780 781 </li> 782 <li> 783 <span class="list-paths__item__introduced"><em>Introduced through</em>: 784 github.com/argoproj/argo-cd/v3@0.0.0 785 <span class="list-paths__item__arrow">›</span> 786 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 787 <span class="list-paths__item__arrow">›</span> 788 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 789 <span class="list-paths__item__arrow">›</span> 790 github.com/hashicorp/go-retryablehttp@0.7.7 791 792 </span> 793 794 </li> 795 <li> 796 <span class="list-paths__item__introduced"><em>Introduced through</em>: 797 github.com/argoproj/argo-cd/v3@0.0.0 798 <span class="list-paths__item__arrow">›</span> 799 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 800 <span class="list-paths__item__arrow">›</span> 801 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 802 <span class="list-paths__item__arrow">›</span> 803 github.com/hashicorp/go-retryablehttp@0.7.7 804 805 </span> 806 807 </li> 808 <li> 809 <span class="list-paths__item__introduced"><em>Introduced through</em>: 810 github.com/argoproj/argo-cd/v3@0.0.0 811 <span class="list-paths__item__arrow">›</span> 812 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 813 <span class="list-paths__item__arrow">›</span> 814 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 815 <span class="list-paths__item__arrow">›</span> 816 github.com/hashicorp/go-retryablehttp@0.7.7 817 818 </span> 819 820 </li> 821 <li> 822 <span class="list-paths__item__introduced"><em>Introduced through</em>: 823 github.com/argoproj/argo-cd/v3@0.0.0 824 <span class="list-paths__item__arrow">›</span> 825 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 826 <span class="list-paths__item__arrow">›</span> 827 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 828 <span class="list-paths__item__arrow">›</span> 829 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 830 <span class="list-paths__item__arrow">›</span> 831 github.com/hashicorp/go-retryablehttp@0.7.7 832 833 </span> 834 835 </li> 836 <li> 837 <span class="list-paths__item__introduced"><em>Introduced through</em>: 838 github.com/argoproj/argo-cd/v3@0.0.0 839 <span class="list-paths__item__arrow">›</span> 840 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 841 <span class="list-paths__item__arrow">›</span> 842 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 843 <span class="list-paths__item__arrow">›</span> 844 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 845 <span class="list-paths__item__arrow">›</span> 846 github.com/hashicorp/go-retryablehttp@0.7.7 847 848 </span> 849 850 </li> 851 <li> 852 <span class="list-paths__item__introduced"><em>Introduced through</em>: 853 github.com/argoproj/argo-cd/v3@0.0.0 854 <span class="list-paths__item__arrow">›</span> 855 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 856 <span class="list-paths__item__arrow">›</span> 857 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 858 <span class="list-paths__item__arrow">›</span> 859 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 860 <span class="list-paths__item__arrow">›</span> 861 github.com/hashicorp/go-retryablehttp@0.7.7 862 863 </span> 864 865 </li> 866 <li> 867 <span class="list-paths__item__introduced"><em>Introduced through</em>: 868 github.com/argoproj/argo-cd/v3@0.0.0 869 <span class="list-paths__item__arrow">›</span> 870 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 871 <span class="list-paths__item__arrow">›</span> 872 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 873 <span class="list-paths__item__arrow">›</span> 874 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 875 <span class="list-paths__item__arrow">›</span> 876 github.com/hashicorp/go-retryablehttp@0.7.7 877 878 </span> 879 880 </li> 881 <li> 882 <span class="list-paths__item__introduced"><em>Introduced through</em>: 883 github.com/argoproj/argo-cd/v3@0.0.0 884 <span class="list-paths__item__arrow">›</span> 885 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 886 <span class="list-paths__item__arrow">›</span> 887 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 888 <span class="list-paths__item__arrow">›</span> 889 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 890 <span class="list-paths__item__arrow">›</span> 891 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 892 <span class="list-paths__item__arrow">›</span> 893 github.com/hashicorp/go-retryablehttp@0.7.7 894 895 </span> 896 897 </li> 898 <li> 899 <span class="list-paths__item__introduced"><em>Introduced through</em>: 900 github.com/argoproj/argo-cd/v3@0.0.0 901 <span class="list-paths__item__arrow">›</span> 902 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 903 <span class="list-paths__item__arrow">›</span> 904 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 905 <span class="list-paths__item__arrow">›</span> 906 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 907 <span class="list-paths__item__arrow">›</span> 908 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 909 <span class="list-paths__item__arrow">›</span> 910 github.com/hashicorp/go-retryablehttp@0.7.7 911 912 </span> 913 914 </li> 915 </ul><!-- .list-paths --> 916 917 </div><!-- .card__section --> 918 919 <hr/> 920 <!-- Overview --> 921 <p>MPL-2.0 license</p> 922 923 <hr/> 924 925 <div class="cta card__cta"> 926 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 927 </div> 928 929 </div><!-- .card --> 930 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 931 <h2 class="card__title">MPL-2.0 license</h2> 932 <div class="card__section"> 933 934 <div class="card__labels"> 935 <div class="label label--medium"> 936 <span class="label__text">medium severity</span> 937 </div> 938 </div> 939 940 <hr/> 941 942 <ul class="card__meta"> 943 <li class="card__meta__item"> 944 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 945 </li> 946 <li class="card__meta__item"> 947 Package Manager: golang 948 </li> 949 <li class="card__meta__item"> 950 Module: 951 952 github.com/hashicorp/go-cleanhttp 953 </li> 954 955 <li class="card__meta__item">Introduced through: 956 957 958 github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.7 and others 959 </li> 960 </ul> 961 962 <hr/> 963 964 965 <h3 class="card__section__title">Detailed paths</h3> 966 967 <ul class="card__meta__paths"> 968 <li> 969 <span class="list-paths__item__introduced"><em>Introduced through</em>: 970 github.com/argoproj/argo-cd/v3@0.0.0 971 <span class="list-paths__item__arrow">›</span> 972 github.com/hashicorp/go-retryablehttp@0.7.7 973 <span class="list-paths__item__arrow">›</span> 974 github.com/hashicorp/go-cleanhttp@0.5.2 975 976 </span> 977 978 </li> 979 <li> 980 <span class="list-paths__item__introduced"><em>Introduced through</em>: 981 github.com/argoproj/argo-cd/v3@0.0.0 982 <span class="list-paths__item__arrow">›</span> 983 gitlab.com/gitlab-org/api/client-go@0.130.1 984 <span class="list-paths__item__arrow">›</span> 985 github.com/hashicorp/go-cleanhttp@0.5.2 986 987 </span> 988 989 </li> 990 <li> 991 <span class="list-paths__item__introduced"><em>Introduced through</em>: 992 github.com/argoproj/argo-cd/v3@0.0.0 993 <span class="list-paths__item__arrow">›</span> 994 gitlab.com/gitlab-org/api/client-go@0.130.1 995 <span class="list-paths__item__arrow">›</span> 996 github.com/hashicorp/go-retryablehttp@0.7.7 997 <span class="list-paths__item__arrow">›</span> 998 github.com/hashicorp/go-cleanhttp@0.5.2 999 1000 </span> 1001 1002 </li> 1003 <li> 1004 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1005 github.com/argoproj/argo-cd/v3@0.0.0 1006 <span class="list-paths__item__arrow">›</span> 1007 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 1008 <span class="list-paths__item__arrow">›</span> 1009 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 1010 <span class="list-paths__item__arrow">›</span> 1011 github.com/hashicorp/go-retryablehttp@0.7.7 1012 <span class="list-paths__item__arrow">›</span> 1013 github.com/hashicorp/go-cleanhttp@0.5.2 1014 1015 </span> 1016 1017 </li> 1018 <li> 1019 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1020 github.com/argoproj/argo-cd/v3@0.0.0 1021 <span class="list-paths__item__arrow">›</span> 1022 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 1023 <span class="list-paths__item__arrow">›</span> 1024 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 1025 <span class="list-paths__item__arrow">›</span> 1026 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 1027 <span class="list-paths__item__arrow">›</span> 1028 github.com/hashicorp/go-retryablehttp@0.7.7 1029 <span class="list-paths__item__arrow">›</span> 1030 github.com/hashicorp/go-cleanhttp@0.5.2 1031 1032 </span> 1033 1034 </li> 1035 <li> 1036 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1037 github.com/argoproj/argo-cd/v3@0.0.0 1038 <span class="list-paths__item__arrow">›</span> 1039 github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 1040 <span class="list-paths__item__arrow">›</span> 1041 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 1042 <span class="list-paths__item__arrow">›</span> 1043 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 1044 <span class="list-paths__item__arrow">›</span> 1045 github.com/hashicorp/go-retryablehttp@0.7.7 1046 <span class="list-paths__item__arrow">›</span> 1047 github.com/hashicorp/go-cleanhttp@0.5.2 1048 1049 </span> 1050 1051 </li> 1052 <li> 1053 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1054 github.com/argoproj/argo-cd/v3@0.0.0 1055 <span class="list-paths__item__arrow">›</span> 1056 github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 1057 <span class="list-paths__item__arrow">›</span> 1058 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 1059 <span class="list-paths__item__arrow">›</span> 1060 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 1061 <span class="list-paths__item__arrow">›</span> 1062 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 1063 <span class="list-paths__item__arrow">›</span> 1064 github.com/hashicorp/go-retryablehttp@0.7.7 1065 <span class="list-paths__item__arrow">›</span> 1066 github.com/hashicorp/go-cleanhttp@0.5.2 1067 1068 </span> 1069 1070 </li> 1071 <li> 1072 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1073 github.com/argoproj/argo-cd/v3@0.0.0 1074 <span class="list-paths__item__arrow">›</span> 1075 github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 1076 <span class="list-paths__item__arrow">›</span> 1077 github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 1078 <span class="list-paths__item__arrow">›</span> 1079 github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 1080 <span class="list-paths__item__arrow">›</span> 1081 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 1082 <span class="list-paths__item__arrow">›</span> 1083 github.com/hashicorp/go-retryablehttp@0.7.7 1084 <span class="list-paths__item__arrow">›</span> 1085 github.com/hashicorp/go-cleanhttp@0.5.2 1086 1087 </span> 1088 1089 </li> 1090 </ul><!-- .list-paths --> 1091 1092 </div><!-- .card__section --> 1093 1094 <hr/> 1095 <!-- Overview --> 1096 <p>MPL-2.0 license</p> 1097 1098 <hr/> 1099 1100 <div class="cta card__cta"> 1101 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1102 </div> 1103 1104 </div><!-- .card --> 1105 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1106 <h2 class="card__title">MPL-2.0 license</h2> 1107 <div class="card__section"> 1108 1109 <div class="card__labels"> 1110 <div class="label label--medium"> 1111 <span class="label__text">medium severity</span> 1112 </div> 1113 </div> 1114 1115 <hr/> 1116 1117 <ul class="card__meta"> 1118 <li class="card__meta__item"> 1119 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 1120 </li> 1121 <li class="card__meta__item"> 1122 Package Manager: golang 1123 </li> 1124 <li class="card__meta__item"> 1125 Module: 1126 1127 github.com/gosimple/slug 1128 </li> 1129 1130 <li class="card__meta__item">Introduced through: 1131 1132 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 1133 1134 </li> 1135 </ul> 1136 1137 <hr/> 1138 1139 1140 <h3 class="card__section__title">Detailed paths</h3> 1141 1142 <ul class="card__meta__paths"> 1143 <li> 1144 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1145 github.com/argoproj/argo-cd/v3@0.0.0 1146 <span class="list-paths__item__arrow">›</span> 1147 github.com/gosimple/slug@1.15.0 1148 1149 </span> 1150 1151 </li> 1152 </ul><!-- .list-paths --> 1153 1154 </div><!-- .card__section --> 1155 1156 <hr/> 1157 <!-- Overview --> 1158 <p>MPL-2.0 license</p> 1159 1160 <hr/> 1161 1162 <div class="cta card__cta"> 1163 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1164 </div> 1165 1166 </div><!-- .card --> 1167 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1168 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 1169 <div class="card__section"> 1170 1171 <div class="card__labels"> 1172 <div class="label label--medium"> 1173 <span class="label__text">medium severity</span> 1174 </div> 1175 </div> 1176 1177 <hr/> 1178 1179 <ul class="card__meta"> 1180 <li class="card__meta__item"> 1181 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1182 </li> 1183 <li class="card__meta__item"> 1184 Package Manager: npm 1185 </li> 1186 <li class="card__meta__item"> 1187 Vulnerable module: 1188 1189 foundation-sites 1190 </li> 1191 1192 <li class="card__meta__item">Introduced through: 1193 1194 argo-cd-ui@1.0.0 and foundation-sites@6.8.1 1195 1196 </li> 1197 </ul> 1198 1199 <hr/> 1200 1201 1202 <h3 class="card__section__title">Detailed paths</h3> 1203 1204 <ul class="card__meta__paths"> 1205 <li> 1206 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1207 argo-cd-ui@1.0.0 1208 <span class="list-paths__item__arrow">›</span> 1209 foundation-sites@6.8.1 1210 1211 </span> 1212 1213 </li> 1214 <li> 1215 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1216 argo-cd-ui@1.0.0 1217 <span class="list-paths__item__arrow">›</span> 1218 argo-ui@1.0.0 1219 <span class="list-paths__item__arrow">›</span> 1220 foundation-sites@6.8.1 1221 1222 </span> 1223 1224 </li> 1225 </ul><!-- .list-paths --> 1226 1227 </div><!-- .card__section --> 1228 1229 <hr/> 1230 <!-- Overview --> 1231 <h2 id="overview">Overview</h2> 1232 <p><a href="https://github.com/zurb/foundation-sites">foundation-sites</a> is a responsive front-end framework</p> 1233 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.</p> 1234 <h2 id="poc">PoC</h2> 1235 <pre><code>https://www.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1236 </code></pre> 1237 <h2 id="details">Details</h2> 1238 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 1239 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 1240 <p>Let’s take the following regular expression as an example:</p> 1241 <pre><code class="language-js">regex = /A(B|C+)+D/ 1242 </code></pre> 1243 <p>This regular expression accomplishes the following:</p> 1244 <ul> 1245 <li><code>A</code> The string must start with the letter 'A'</li> 1246 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 1247 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 1248 </ul> 1249 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 1250 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 1251 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 1252 0.04s user 0.01s system 95% cpu 0.052 total 1253 1254 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 1255 1.79s user 0.02s system 99% cpu 1.812 total 1256 </code></pre> 1257 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 1258 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 1259 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 1260 <ol> 1261 <li>CCC</li> 1262 <li>CC+C</li> 1263 <li>C+CC</li> 1264 <li>C+C+C.</li> 1265 </ol> 1266 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 1267 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 1268 <table> 1269 <thead> 1270 <tr> 1271 <th>String</th> 1272 <th align="right">Number of C's</th> 1273 <th align="right">Number of steps</th> 1274 </tr> 1275 </thead> 1276 <tbody><tr> 1277 <td>ACCCX</td> 1278 <td align="right">3</td> 1279 <td align="right">38</td> 1280 </tr> 1281 <tr> 1282 <td>ACCCCX</td> 1283 <td align="right">4</td> 1284 <td align="right">71</td> 1285 </tr> 1286 <tr> 1287 <td>ACCCCCX</td> 1288 <td align="right">5</td> 1289 <td align="right">136</td> 1290 </tr> 1291 <tr> 1292 <td>ACCCCCCCCCCCCCCX</td> 1293 <td align="right">14</td> 1294 <td align="right">65,553</td> 1295 </tr> 1296 </tbody></table> 1297 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 1298 <h2 id="remediation">Remediation</h2> 1299 <p>There is no fixed version for <code>foundation-sites</code>.</p> 1300 <h2 id="references">References</h2> 1301 <ul> 1302 <li><a href="https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites">GitHub Advisory</a></li> 1303 <li><a href="https://github.com/foundation/foundation-sites/issues/12180">GitHub Issue</a></li> 1304 <li><a href="https://github.com/foundation/foundation-sites/blob/develop/js/foundation.abide.js#L864">Vulnerable Code</a></li> 1305 </ul> 1306 1307 <hr/> 1308 1309 <div class="cta card__cta"> 1310 <p><a href="https://snyk.io/vuln/SNYK-JS-FOUNDATIONSITES-8310364">More about this vulnerability</a></p> 1311 </div> 1312 1313 </div><!-- .card --> 1314 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1315 <h2 class="card__title">Insecure Randomness</h2> 1316 <div class="card__section"> 1317 1318 <div class="card__labels"> 1319 <div class="label label--low"> 1320 <span class="label__text">low severity</span> 1321 </div> 1322 </div> 1323 1324 <hr/> 1325 1326 <ul class="card__meta"> 1327 <li class="card__meta__item"> 1328 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1329 </li> 1330 <li class="card__meta__item"> 1331 Package Manager: npm 1332 </li> 1333 <li class="card__meta__item"> 1334 Vulnerable module: 1335 1336 formidable 1337 </li> 1338 1339 <li class="card__meta__item">Introduced through: 1340 1341 1342 argo-cd-ui@1.0.0, superagent@8.1.2 and others 1343 </li> 1344 </ul> 1345 1346 <hr/> 1347 1348 1349 <h3 class="card__section__title">Detailed paths</h3> 1350 1351 <ul class="card__meta__paths"> 1352 <li> 1353 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1354 argo-cd-ui@1.0.0 1355 <span class="list-paths__item__arrow">›</span> 1356 superagent@8.1.2 1357 <span class="list-paths__item__arrow">›</span> 1358 formidable@2.1.2 1359 1360 </span> 1361 1362 </li> 1363 </ul><!-- .list-paths --> 1364 1365 </div><!-- .card__section --> 1366 1367 <hr/> 1368 <!-- Overview --> 1369 <h2 id="overview">Overview</h2> 1370 <p>Affected versions of this package are vulnerable to Insecure Randomness due to its use of the <code>hexoid()</code> function in the generation of fingerprint IDs.</p> 1371 <h2 id="remediation">Remediation</h2> 1372 <p>Upgrade <code>formidable</code> to version 2.1.3, 3.5.3 or higher.</p> 1373 <h2 id="references">References</h2> 1374 <ul> 1375 <li><a href="https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5">GitHub Commit</a></li> 1376 <li><a href="https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md">Vulnerability Report</a></li> 1377 </ul> 1378 1379 <hr/> 1380 1381 <div class="cta card__cta"> 1382 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMIDABLE-9788127">More about this vulnerability</a></p> 1383 </div> 1384 1385 </div><!-- .card --> 1386 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1387 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 1388 <div class="card__section"> 1389 1390 <div class="card__labels"> 1391 <div class="label label--low"> 1392 <span class="label__text">low severity</span> 1393 </div> 1394 </div> 1395 1396 <hr/> 1397 1398 <ul class="card__meta"> 1399 <li class="card__meta__item"> 1400 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1401 </li> 1402 <li class="card__meta__item"> 1403 Package Manager: npm 1404 </li> 1405 <li class="card__meta__item"> 1406 Vulnerable module: 1407 1408 brace-expansion 1409 </li> 1410 1411 <li class="card__meta__item">Introduced through: 1412 1413 1414 argo-cd-ui@1.0.0, minimatch@3.1.2 and others 1415 </li> 1416 </ul> 1417 1418 <hr/> 1419 1420 1421 <h3 class="card__section__title">Detailed paths</h3> 1422 1423 <ul class="card__meta__paths"> 1424 <li> 1425 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1426 argo-cd-ui@1.0.0 1427 <span class="list-paths__item__arrow">›</span> 1428 minimatch@3.1.2 1429 <span class="list-paths__item__arrow">›</span> 1430 brace-expansion@1.1.11 1431 1432 </span> 1433 1434 </li> 1435 <li> 1436 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1437 argo-cd-ui@1.0.0 1438 <span class="list-paths__item__arrow">›</span> 1439 redoc@2.4.0 1440 <span class="list-paths__item__arrow">›</span> 1441 @redocly/openapi-core@1.30.0 1442 <span class="list-paths__item__arrow">›</span> 1443 minimatch@5.1.6 1444 <span class="list-paths__item__arrow">›</span> 1445 brace-expansion@2.0.1 1446 1447 </span> 1448 1449 </li> 1450 </ul><!-- .list-paths --> 1451 1452 </div><!-- .card__section --> 1453 1454 <hr/> 1455 <!-- Overview --> 1456 <h2 id="overview">Overview</h2> 1457 <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p> 1458 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>expand()</code> function, which is prone to catastrophic backtracking on very long malicious inputs.</p> 1459 <h2 id="poc">PoC</h2> 1460 <pre><code class="language-js">import index from "./index.js"; 1461 1462 let str = "{a}" + ",".repeat(100000) + "\u0000"; 1463 1464 let startTime = performance.now(); 1465 1466 const result = index(str); 1467 1468 let endTime = performance.now(); 1469 1470 let timeTaken = endTime - startTime; 1471 1472 console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`); 1473 </code></pre> 1474 <h2 id="details">Details</h2> 1475 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 1476 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 1477 <p>Let’s take the following regular expression as an example:</p> 1478 <pre><code class="language-js">regex = /A(B|C+)+D/ 1479 </code></pre> 1480 <p>This regular expression accomplishes the following:</p> 1481 <ul> 1482 <li><code>A</code> The string must start with the letter 'A'</li> 1483 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 1484 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 1485 </ul> 1486 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 1487 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 1488 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 1489 0.04s user 0.01s system 95% cpu 0.052 total 1490 1491 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 1492 1.79s user 0.02s system 99% cpu 1.812 total 1493 </code></pre> 1494 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 1495 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 1496 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 1497 <ol> 1498 <li>CCC</li> 1499 <li>CC+C</li> 1500 <li>C+CC</li> 1501 <li>C+C+C.</li> 1502 </ol> 1503 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 1504 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 1505 <table> 1506 <thead> 1507 <tr> 1508 <th>String</th> 1509 <th align="right">Number of C's</th> 1510 <th align="right">Number of steps</th> 1511 </tr> 1512 </thead> 1513 <tbody><tr> 1514 <td>ACCCX</td> 1515 <td align="right">3</td> 1516 <td align="right">38</td> 1517 </tr> 1518 <tr> 1519 <td>ACCCCX</td> 1520 <td align="right">4</td> 1521 <td align="right">71</td> 1522 </tr> 1523 <tr> 1524 <td>ACCCCCX</td> 1525 <td align="right">5</td> 1526 <td align="right">136</td> 1527 </tr> 1528 <tr> 1529 <td>ACCCCCCCCCCCCCCX</td> 1530 <td align="right">14</td> 1531 <td align="right">65,553</td> 1532 </tr> 1533 </tbody></table> 1534 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 1535 <h2 id="remediation">Remediation</h2> 1536 <p>Upgrade <code>brace-expansion</code> to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.</p> 1537 <h2 id="references">References</h2> 1538 <ul> 1539 <li><a href="https://github.com/advisories/GHSA-v6h2-p8h4-qcjw">GitHub Advisory</a></li> 1540 <li><a href="https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2">GitHub Commit</a></li> 1541 <li><a href="https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466">GitHub Gist</a></li> 1542 <li><a href="https://github.com/juliangruber/brace-expansion/pull/65">GitHub PR</a></li> 1543 </ul> 1544 1545 <hr/> 1546 1547 <div class="cta card__cta"> 1548 <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073">More about this vulnerability</a></p> 1549 </div> 1550 1551 </div><!-- .card --> 1552 </div><!-- cards --> 1553 </div> 1554 </main><!-- .layout-stacked__content --> 1555 </body> 1556 1557 </html>