react-excel-renderer icon indicating copy to clipboard operation
react-excel-renderer copied to clipboard
verified publisher icon ashishd751

Upgrade dependency on xlsx to 0.17.1

Open trietlu opened this issue 4 years ago • 2 comments

Can you upgrade xlsx to 0.17.0^ to address the following CVEs? Thanks

CVE-2021-32014 moderate severity Vulnerable versions: < 0.17.0 Patched version: 0.17.0 SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.

CVE-2021-32012 moderate severity Vulnerable versions: < 0.17.0 Patched version: 0.17.0 SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).

CVE-2021-32013 moderate severity Vulnerable versions: < 0.17.0 Patched version: 0.17.0 SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).

trietlu avatar Jan 04 '22 12:01 trietlu

is there any update with this issue? i also find the same problem when i ran npm audit fix

Edit: xlsx <=0.16.9 Severity: moderate Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-g973-978j-2c3p Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-3x9f-74h4-2fqr Denial of Service in SheetsJS Pro - https://github.com/advisories/GHSA-8vcr-vxm8-293m No fix available

kie-sp avatar Aug 11 '22 09:08 kie-sp