Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2023-36665 - Fix not reflected in dist version #1918

Closed
wakester25 opened this issue Aug 10, 2023 · 9 comments
Closed

CVE-2023-36665 - Fix not reflected in dist version #1918

wakester25 opened this issue Aug 10, 2023 · 9 comments

Comments

@wakester25
Copy link

wakester25 commented Aug 10, 2023
edited
Loading

protobuf.js version: 7.2.4

Expected Behavior : Fix introduced for CVE-2023-36665 (https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4) would also be reflected in the distribution version of the code as well

Actual Behavior : Fix does not seem to be rolled out to distribution version. Distribution version seems to be last compiled on September 9 2022 - https://cdn.jsdelivr.net/npm/protobufjs@7.2.4/dist/protobuf.js

Code snippet from https://cdn.jsdelivr.net/npm/protobufjs@7.2.4/dist/protobuf.js

Would expect below to match e66379f

util.setProperty = function setProperty(dst, path, value) {
    function setProp(dst, path, value) {
        var part = path.shift();
        if (part === "__proto__") {
          return dst;
        }
        if (path.length > 0) {
@Fotiman
Copy link

Fotiman commented Aug 11, 2023

Following. Scanning tools still detect protobufjs 7.2.4 as containing CVE-2023-36665 because the fix for this vulnerability was only applied to the sources (util.js) in version 7.2.4, and was not fully released on dist files, so the risk exists in the 7.2.4 version.

@CalebBoLiuPriceline
Copy link

Any update?

@seemk seemk mentioned this issue Aug 23, 2023
Closed
@albertosaito
Copy link

BTW, I'm still getting CVE-2023-36665 as a security vulnerability from protobufjs@6.11.4, even when I see the code change in the dist files: https://cdn.jsdelivr.net/npm/protobufjs@6.11.4/dist/protobuf.js

Furthermore, the affected version range here https://nvd.nist.gov/vuln/detail/CVE-2023-36665 show as if everything below 7.2.4 is vulnerable.

@alexander-fenster
Copy link
Contributor

That's weird, because the dist files are supposed to be rebuilt in the prepublish step. I'm looking at what might be wrong here.

In any case, in the latest versions (7.2.5 and 6.11.4) the dist files are fixed, I checked both of them.

The GitHub advisory GHSA-h755-8qp9-cq85 was updated to list 6.11.4 as fixed. If anyone knows how to update the advisory at https://nvd.nist.gov/vuln/detail/CVE-2023-36665 accordingly, please let me know, or just go ahead and do it.

@Fotiman
Copy link

Fotiman commented Aug 26, 2023

I'm still getting CVE-2023-36665 detected in 7.2.5.

@wakester25
Copy link
Author

I believe CVE’s can be updated through here : https://www.cve.org/ReportRequest/ReportRequestForNonCNAs

I won’t be able to get the update in till next mid week. If no one has done it by then I will go ahead and request the update.

@wakester25
Copy link
Author

Accidentally closed with comment. Reopening till CVE is updated.

@wakester25 wakester25 reopened this Aug 26, 2023
@imdangodaane
Copy link

Is there any news on this? I'm still getting report from scanning tools 😭

@wakester25
Copy link
Author

CVE has been updated to to correctly identify 7.2.5 as the fixed version : https://nvd.nist.gov/vuln/detail/CVE-2023-36665. Marking this issue as closed.

@monwolf monwolf mentioned this issue Oct 24, 2023
Closed
@stephengroat stephengroat mentioned this issue Apr 10, 2024
Merged
@pwmcintyre pwmcintyre mentioned this issue Jul 11, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Fotiman @alexander-fenster @albertosaito @imdangodaane @wakester25 @CalebBoLiuPriceline