[STRWEB-50] favicons with url-regex DoS (CVE-2020-7661) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Blocked (View Workflow)
Priority: P3
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Labels:
- security
- security-reviewed

Template:
customfield_11100 37170
Development Team:
Stripes Force

Description

stripes-core has this dependency:

"favicons-webpack-plugin": "^3.0.1"
  favicons "5.5.0"
    to-ico "^1.1.5"
      resize-img "^1.1.0"
        jimp "^0.2.21"
          url-regex "^3.0.0"

All versions of url-regex have a denial-of-service vulnerability, the package seems to be unmaintained:
https://nvd.nist.gov/vuln/detail/CVE-2020-7661
https://github.com/kevva/url-regex/issues/70

jimp >= 0.3.0 no longer has the url-regex dependency: https://github.com/oliver-moran/jimp/commit/a13e939b57a4e2b9ec9192c43e807cd456e6e4f9

resize-img >= 2.0.0 depends on "jimp": "^0.8.3".

to-ico 1.1.5 is the latest version and still depends on resize-img "^1.1.0". There is a pull request with a fix https://github.com/kevva/to-ico/pull/19 but the repository has been unmaintained since August 2017.

The favicons maintainers say: "But in fact this vulnerability is not harmful because this package doesn't interact with the outside world and is used only locally." https://github.com/itgalaxy/favicons/issues/322

TestRail: Results

Attachments

Issue Links

relates to

STCOR-415 replace webapp-webpack-plugin with favicons-webpack-plugin

Closed

UXPROD-2767 R1 2021 | Stripes-force Tech debt

Closed

Activity

People

Assignee:: Ryan Berger

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 22/Jun/20 4:49 PM

Updated:: 02/Jun/22 5:26 PM

favicons with url-regex DoS (CVE-2020-7661)