[
https://issues.apache.org/jira/browse/FLINK-36716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912115#comment-17912115
]
Alexander Fedulov commented on FLINK-36716:
-------------------------------------------
Backports to 1.19 (also need to be merged in that order):
# [https://github.com/apache/flink/pull/25941]
# [https://github.com/apache/flink/pull/25957]
# [https://github.com/apache/flink/pull/25958]
# [https://github.com/apache/flink/pull/25959]
> Address vulnerabilities in Flink UI
> -----------------------------------
>
> Key: FLINK-36716
> URL: https://issues.apache.org/jira/browse/FLINK-36716
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / Web Frontend
> Affects Versions: 2.0.0, 1.20.0
> Reporter: Mehdi
> Assignee: Mehdi
> Priority: Major
> Fix For: 2.0.0, 1.19.2, 1.20.1
>
>
> When running `npm audit` we get 36 vulnerabilities (1 low, 15 moderate, 17
> high, 3 critical) we should address any current, open vulnerabilities.
> These critical vulnerabilities gone by raising the version of angular and we
> do need also to raise node version, so there is two sub tasks for this ticket
> Result of the npm audit:
> {code:java}
> npm audit report@adobe/css-tools <=4.3.1
> Severity: moderate
> @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing
> CSS - https://github.com/advisories/GHSA-hpx4-r86g-5jrg
> @adobe/css-tools Improper Input Validation and Inefficient Regular Expression
> Complexity - https://github.com/advisories/GHSA-prr3-c3m5-p7q2
> fix available via `npm audit fix`
> node_modules/@adobe/css-tools@babel/traverse <7.23.2
> Severity: critical
> Babel vulnerable to arbitrary code execution when compiling specifically
> crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
> fix available via `npm audit fix`
> node_modules/@babel/traversebody-parser <1.20.3
> Severity: high
> body-parser vulnerable to denial of service when url encoding is enabled -
> https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
> fix available via `npm audit fix`
> node_modules/body-parser
> express <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
> Depends on vulnerable versions of body-parser
> Depends on vulnerable versions of cookie
> Depends on vulnerable versions of path-to-regexp
> Depends on vulnerable versions of send
> Depends on vulnerable versions of serve-static
> node_modules/expressbraces <3.0.3
> Severity: high
> Uncontrolled resource consumption in braces -
> https://github.com/advisories/GHSA-grv7-fg5c-xmjg
> fix available via `npm audit fix`
> node_modules/bracescookie <0.7.0
> cookie accepts cookie name, path, and domain with out of bounds characters -
> https://github.com/advisories/GHSA-pxg6-pf52-xh8x
> fix available via `npm audit fix`
> node_modules/cookie
> node_modules/express/node_modules/cookie
> engine.io 0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
> Depends on vulnerable versions of cookie
> Depends on vulnerable versions of ws
> node_modules/engine.io
> socket.io 1.6.0 - 4.7.5
> Depends on vulnerable versions of engine.io
> node_modules/socket.iod3-color <3.1.0
> Severity: high
> d3-color vulnerable to ReDoS -
> https://github.com/advisories/GHSA-36jr-mh4h-2g58
> fix available via `npm audit fix`
> node_modules/d3-interpolate/node_modules/d3-color
> d3-interpolate 0.1.3 - 2.0.1
> Depends on vulnerable versions of d3-color
> node_modules/d3-interpolate
> @antv/g-base <=0.5.11
> Depends on vulnerable versions of d3-interpolate
> node_modules/@antv/g-basefollow-redirects <=1.15.5
> Severity: moderate
> Follow Redirects improperly handles URLs in the url.parse() function -
> https://github.com/advisories/GHSA-jchw-25xp-jwwc
> follow-redirects' Proxy-Authorization header kept across hosts -
> https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
> fix available via `npm audit fix`
> node_modules/follow-redirectshttp-proxy-middleware <2.0.7
> Severity: high
> Denial of service in http-proxy-middleware -
> https://github.com/advisories/GHSA-c7qv-q95q-8v27
> fix available via `npm audit fix`
> node_modules/http-proxy-middlewareip *
> Severity: high
> NPM IP package incorrectly identifies some private IP addresses as public -
> https://github.com/advisories/GHSA-78xj-cgh5-2h22
> ip SSRF improper categorization in isPublic -
> https://github.com/advisories/GHSA-2p57-rm9w-gvfp
> fix available via `npm audit fix`
> node_modules/iploader-utils 3.0.0 - 3.2.0
> Severity: high
> loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
> via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
> loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) -
> https://github.com/advisories/GHSA-hhq3-ff78-jv3g
> fix available via `npm audit fix`
> node_modules/loader-utils
> @angular-devkit/build-angular *
> Depends on vulnerable versions of loader-utils
> Depends on vulnerable versions of postcss
> Depends on vulnerable versions of protractor
> Depends on vulnerable versions of semver
> Depends on vulnerable versions of webpack
> Depends on vulnerable versions of webpack-dev-middleware
> node_modules/@angular-devkit/build-angularmicromatch <4.0.8
> Severity: moderate
> Regular Expression Denial of Service (ReDoS) in micromatch -
> https://github.com/advisories/GHSA-952p-6rrq-rcjv
> fix available via `npm audit fix`
> node_modules/micromatchpath-to-regexp <0.1.10
> Severity: high
> path-to-regexp outputs backtracking regular expressions -
> https://github.com/advisories/GHSA-9wv6-86v2-598j
> fix available via `npm audit fix`
> node_modules/path-to-regexppostcss <8.4.31
> Severity: moderate
> PostCSS line return parsing error -
> https://github.com/advisories/GHSA-7fh5-64p2-3v2j
> fix available via `npm audit fix`
> node_modules/postcssrequest *
> Severity: moderate
> Server-Side Request Forgery in Request -
> https://github.com/advisories/GHSA-p8p7-x288-28g6
> Depends on vulnerable versions of tough-cookie
> fix available via `npm audit fix --force`
> Will install protractor@3.3.0, which is a breaking change
> node_modules/request
> webdriver-manager *
> Depends on vulnerable versions of request
> Depends on vulnerable versions of xml2js
> node_modules/webdriver-manager
> protractor >=1.3.0
> Depends on vulnerable versions of selenium-webdriver
> Depends on vulnerable versions of webdriver-js-extender
> Depends on vulnerable versions of webdriver-manager
> node_modules/protractorsemver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
> Severity: high
> semver vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
> semver vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
> semver vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
> fix available via `npm audit fix`
> node_modules/@angular-devkit/build-angular/node_modules/semver
> node_modules/@angular/cli/node_modules/semver
> node_modules/@babel/core/node_modules/semver
> node_modules/@babel/helper-compilation-targets/node_modules/semver
> node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
> node_modules/@babel/plugin-transform-runtime/node_modules/semver
> node_modules/@babel/preset-env/node_modules/semver
> node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
> node_modules/istanbul-lib-instrument/node_modules/semver
> node_modules/less/node_modules/semver
> node_modules/make-dir/node_modules/semver
> node_modules/read-pkg/node_modules/semver
> node_modules/semver
> node_modules/webdriver-manager/node_modules/semver
> @angular/cli 9.1.0-next.0 - 14.2.11 || 15.0.0-next.0 - 15.2.8 ||
> 16.0.0-next.0 - 16.1.1
> Depends on vulnerable versions of semver
> node_modules/@angular/clisend <0.19.0
> Severity: moderate
> send vulnerable to template injection that can lead to XSS -
> https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
> fix available via `npm audit fix`
> node_modules/send
> serve-static <=1.16.0
> Depends on vulnerable versions of send
> node_modules/serve-static tar <6.2.1
> Severity: moderate
> Denial of service while parsing a tar file due to lack of folders count
> validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
> fix available via `npm audit fix`
> node_modules/tartough-cookie <4.1.3
> Severity: moderate
> tough-cookie Prototype Pollution vulnerability -
> https://github.com/advisories/GHSA-72xf-g2v4-qvf3
> fix available via `npm audit fix --force`
> Will install protractor@3.3.0, which is a breaking change
> node_modules/tough-cookiewebpack 5.0.0-alpha.0 - 5.93.0
> Severity: critical
> Cross-realm object access in Webpack 5 -
> https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
> Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads
> to XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
> fix available via `npm audit fix`
> node_modules/webpackwebpack-dev-middleware <=5.3.3
> Severity: high
> Path traversal in webpack-dev-middleware -
> https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
> fix available via `npm audit fix`
> node_modules/webpack-dev-middlewareword-wrap <1.2.4
> Severity: moderate
> word-wrap vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-j8xg-fqg3-53r7
> fix available via `npm audit fix`
> node_modules/word-wrapws 8.0.0 - 8.17.0
> Severity: high
> ws affected by a DoS when handling a request with many HTTP headers -
> https://github.com/advisories/GHSA-3h5v-q93c-6h6q
> fix available via `npm audit fix`
> node_modules/ws
> socket.io-adapter 2.5.2 - 2.5.4
> Depends on vulnerable versions of ws
> node_modules/socket.io-adapterxml2js <0.5.0
> Severity: moderate
> xml2js is vulnerable to prototype pollution -
> https://github.com/advisories/GHSA-776f-qx25-q3cc
> fix available via `npm audit fix --force`
> Will install protractor@3.3.0, which is a breaking change
> node_modules/xml2js
> selenium-webdriver 2.43.1 - 4.0.0-rc-2
> Depends on vulnerable versions of xml2js
> node_modules/selenium-webdriver
> webdriver-js-extender *
> Depends on vulnerable versions of selenium-webdriver
> node_modules/webdriver-js-extender36 vulnerabilities (1 low, 15 moderate,
> 17 high, 3 critical) {code}
> h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
