Using vulnerable dependencies in package.json in star7th/showdoc

Valid

Reported on

Mar 18th 2022

Description

  1. Hello team, The Showdoc is using a axios 0.17.1 dependency that is vulnerable to:👇
1. CVE-2021-3749 Regular Expression Denial of Service (ReDoS)
2. CVE-2020-28168 Server-Side Request Forgery (SSRF)
3. CVE-2019-10742 Denial of Service (DoS)

Path to the file:

https://github.com/star7th/showdoc/blob/3caa32334db0c277b84e993eaca2036f5d1dbef8/web_src/package.json#L17

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742

Patch recommendation:

  1. Update the axios 0.17.1 to axios 0.21.3
We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back a year ago
star7th validated this vulnerability a year ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.10.4 with commit 39b82c a year ago
star7th has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
a year ago

Admin

Hi both 👋

The bounties have been zeroed out here, as our disclosure policy does not allow rewards for vulnerabilities in dependencies that are consumed as part of a library or repository. The vulnerability must be in the package/repository itself, i.e. in star7th/showdoc.

Let me know if you have any questions 👍

Akshay Ravi
a year ago

Researcher

😒

to join this conversation