[WEBUI-1526] [YARGS-PARSER] SRCCLR-SID-31414 | Unknown - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Web UI

Epic Link:
[May 2024] Security fixes for Web UI third-party libraries
Tags:
- nxui
- nxui-triaged
Sprint:
UI - 2024-7

Description

SRCCLR-SID-31414 | Unknown

Severity : Medium

yargs-parser is vulnerable to Regular Expression Denial of Service (ReDoS). The `isUnknownOption` function in `yargs-parser.ts` does not properly replace `-` characters from parse, allowing a malicious user to slow down or hang the application when unknown-options-as-args is set to true.

Module : yags-parser

nuxeo-web-ui.zip#zip:node_modules:yargs-parser

Current Version : 20.2.4

Recommended Version : 20.2.9 to 21.1.1

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

image-2024-05-15-16-27-56-400.png
103 kB
2024-05-15 10:57

Activity

People

Assignee:

Unassigned

Reporter:

Madhur Kulshrestha

Participants:

Madhur Kulshrestha

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2024-05-14 12:30

Updated:

2024-06-06 08:59