[WEBUI-1526] [YARGS-PARSER] SRCCLR-SID-31414 | Unknown - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Web UI

Epic Link:
[May 2024] Security fixes for Web UI third-party libraries
Tags:
- nxui
- nxui-triaged
Sprint:
UI COOLDOWN - 2024-9
Story Points:
3

Description

SRCCLR-SID-31414 | Unknown

Severity : Medium

yargs-parser is vulnerable to Regular Expression Denial of Service (ReDoS). The `isUnknownOption` function in `yargs-parser.ts` does not properly replace `-` characters from parse, allowing a malicious user to slow down or hang the application when unknown-options-as-args is set to true.

Module : yags-parser

nuxeo-web-ui.zip#zip:node_modules:yargs-parser

Current Version : 20.2.4

Recommended Version : 20.2.9 to 21.1.1

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

CustomizedReport_Nuxeo_Web_UI_23_Sep_2024.pdf
2024-09-23 11:28
604 kB
Alok Ranjan
elements.png
2024-09-23 07:57
1.82 MB
Alok Ranjan
image-2024-05-15-16-27-56-400.png
2024-05-15 10:57
103 kB
Madhur Kulshrestha
Screenshot 2024-09-20 at 12.57.28 PM.png
2024-09-20 08:32
2.00 MB
Alok Ranjan
webui-latest.png
2024-09-23 11:27
1.40 MB
Alok Ranjan

Activity

People

Assignee:

Alok Ranjan

Reporter:

Madhur Kulshrestha

Participants:

Alok Ranjan, Madhur Kulshrestha

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2024-05-14 12:30

Updated:

2024-09-25 11:26

Resolved:

2024-09-25 11:26