Mehdi created FLINK-36716:
-----------------------------
Summary: Address vulnerabilities in Flink UI
Key: FLINK-36716
URL: https://issues.apache.org/jira/browse/FLINK-36716
Project: Flink
Issue Type: Improvement
Components: Runtime / Web Frontend
Affects Versions: 1.20.0, 2.0.0
Reporter: Mehdi
When running `npm audit` we get 36 vulnerabilities (1 low, 15 moderate, 17
high, 3 critical) we should address any current, open vulnerabilities.
These critical vulnerabilities gone by raising the version of angular.
Result of the npm audit:
{code:java}
npm audit report@adobe/css-tools <=4.3.1
Severity: moderate
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
- https://github.com/advisories/GHSA-hpx4-r86g-5jrg
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression
Complexity - https://github.com/advisories/GHSA-prr3-c3m5-p7q2
fix available via `npm audit fix`
node_modules/@adobe/css-tools@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically
crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traversebody-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled -
https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
express <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/expressbraces <3.0.3
Severity: high
Uncontrolled resource consumption in braces -
https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/bracescookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters -
https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie
node_modules/express/node_modules/cookie
engine.io 0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
Depends on vulnerable versions of cookie
Depends on vulnerable versions of ws
node_modules/engine.io
socket.io 1.6.0 - 4.7.5
Depends on vulnerable versions of engine.io
node_modules/socket.iod3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix`
node_modules/d3-interpolate/node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
@antv/g-base <=0.5.11
Depends on vulnerable versions of d3-interpolate
node_modules/@antv/g-basefollow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function -
https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts -
https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirectshttp-proxy-middleware <2.0.7
Severity: high
Denial of service in http-proxy-middleware -
https://github.com/advisories/GHSA-c7qv-q95q-8v27
fix available via `npm audit fix`
node_modules/http-proxy-middlewareip *
Severity: high
NPM IP package incorrectly identifies some private IP addresses as public -
https://github.com/advisories/GHSA-78xj-cgh5-2h22
ip SSRF improper categorization in isPublic -
https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix`
node_modules/iploader-utils 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via
url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) -
https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils
@angular-devkit/build-angular *
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of postcss
Depends on vulnerable versions of protractor
Depends on vulnerable versions of semver
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-middleware
node_modules/@angular-devkit/build-angularmicromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch -
https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/micromatchpath-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions -
https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexppostcss <8.4.31
Severity: moderate
PostCSS line return parsing error -
https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcssrequest *
Severity: moderate
Server-Side Request Forgery in Request -
https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install protractor@3.3.0, which is a breaking change
node_modules/request
webdriver-manager *
Depends on vulnerable versions of request
Depends on vulnerable versions of xml2js
node_modules/webdriver-manager
protractor >=1.3.0
Depends on vulnerable versions of selenium-webdriver
Depends on vulnerable versions of webdriver-js-extender
Depends on vulnerable versions of webdriver-manager
node_modules/protractorsemver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@angular-devkit/build-angular/node_modules/semver
node_modules/@angular/cli/node_modules/semver
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/plugin-transform-runtime/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/less/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver
node_modules/webdriver-manager/node_modules/semver
@angular/cli 9.1.0-next.0 - 14.2.11 || 15.0.0-next.0 - 15.2.8 ||
16.0.0-next.0 - 16.1.1
Depends on vulnerable versions of semver
node_modules/@angular/clisend <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS -
https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count
validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tartough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability -
https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install protractor@3.3.0, which is a breaking change
node_modules/tough-cookiewebpack 5.0.0-alpha.0 - 5.93.0
Severity: critical
Cross-realm object access in Webpack 5 -
https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to
XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
fix available via `npm audit fix`
node_modules/webpackwebpack-dev-middleware <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware -
https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/webpack-dev-middlewareword-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrapws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers -
https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws
socket.io-adapter 2.5.2 - 2.5.4
Depends on vulnerable versions of ws
node_modules/socket.io-adapterxml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution -
https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install protractor@3.3.0, which is a breaking change
node_modules/xml2js
selenium-webdriver 2.43.1 - 4.0.0-rc-2
Depends on vulnerable versions of xml2js
node_modules/selenium-webdriver
webdriver-js-extender *
Depends on vulnerable versions of selenium-webdriver
node_modules/webdriver-js-extender36 vulnerabilities (1 low, 15 moderate,
17 high, 3 critical) {code}
h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
