box-node-sdk icon indicating copy to clipboard operation
box-node-sdk copied to clipboard
verified publisher icon box

Fix CVE-2021-3918 9.8 Vulnerability due to dependency on json-schema-0.2.3.tgz (Vulnerable Library)

Open kiergarlen opened this issue 4 years ago • 3 comments

Is your feature request related to a problem? Please describe.

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

box-node-sdk-2.0.0.tgz (Root Library)
    request-2.88.2.tgz
        http-signature-1.2.0.tgz
            jsprim-1.4.1.tgz
                ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

Describe the solution you'd like

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Additional context

CVE link: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2021-3918

kiergarlen avatar Feb 12 '22 00:02 kiergarlen

Hi @kiergarlen,

Thanks for submitting this Issue! We will take a look and get back to you ASAP!

@lukaszsocha2

lukaszsocha2 avatar Feb 14 '22 09:02 lukaszsocha2

Hi @kiergarlen, the affected package is part of request library, which is not maintained any more, so we may not expect fix on their side soon. We are currently in the process of migrating from request to axios package, so as soon as migration will be finished, problem should be solved. @lukaszsocha2

lukaszsocha2 avatar Feb 15 '22 10:02 lukaszsocha2

Hi @lukaszsocha2, is there a roadmap in place to make that migration? Where can we check when this vulnerable dependency is going to be remediated? The CVE Score is very high (9.8) and it's been reported since November of last year. NodeJS-Box integration is a key feature for us but we (and everyone using the SDK) are at risk whilst this dependency is still there.

kiergarlen avatar Mar 29 '22 14:03 kiergarlen

Hi @kiergarlen ,

We have just checked this vulnerable package again and see that the package already bump to the version 0.4.0 and released with box-node-sdk version 2.6.0 on 20 Sep 2022 (PR #761).

So please update the Node SDK to the newer version later than 2.6.0 and check again.

Thankyou, Minh

congminh1254 avatar Jan 10 '23 00:01 congminh1254