Page MenuHomePhabricator
Create Task
Maniphest T215754

Kartotherian security vulnerabilities
Closed, ResolvedPublic
Actions

Description

Via github alerts,

kartotherian/server depends on lodash < 4.17.11 which is impacted by CVE CVE-2018-16487.

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

kartotherian/server depends on cached-path-relative < 1.0.2 which is impacted by CVE CVE-2018-16472.

A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.

Event Timeline

Pnorman created this task.Feb 11 2019, 7:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 11 2019, 7:23 AM
Pnorman added a project: Maps (Kartotherian).Feb 11 2019, 7:23 AM
Pnorman added a subscriber: Gehel.
Pnorman added a comment.Feb 11 2019, 8:28 PM

Also seeing this in kartotherian/babel

Pnorman added a subscriber: MSantos.Feb 11 2019, 8:32 PM
MSantos added a project: Product-Infrastructure-Team-Backlog-Deprecated.Feb 12 2019, 4:03 PM
MSantos moved this task from Needs triage to Needs investigation on the Product-Infrastructure-Team-Backlog-Deprecated board.Feb 13 2019, 4:36 PM
MSantos claimed this task.Jul 3 2019, 4:05 PM
MSantos edited projects, added Product-Infrastructure-Team-Backlog-Deprecated (Kanban); removed Product-Infrastructure-Team-Backlog-Deprecated.
MSantos added subscribers: Mholloway, Jhernandez.Jul 8 2019, 2:04 PM
chasemp triaged this task as High priority.Dec 9 2019, 4:30 PM
chasemp subscribed.

This seems like it needs more eyes?

MSantos added a comment.Dec 11 2019, 4:06 PM

lodash vulnerability is fixed at least since https://gerrit.wikimedia.org/r/c/mediawiki/services/kartotherian/+/525816

For kartotherian/server: see

For kartotherian/babel: see

MSantos closed this task as Resolved.Dec 11 2019, 4:13 PM

cached-path-relative is also already fix in kartotherian/server and it's not a dependency in babel, see.

Marking it as resolved, but please reopen if I'm missing something.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 11 2019, 4:21 PM
sbassett moved this task from Backlog / Other to Done on the acl*security board.
sbassett awarded a token.
chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL