Open Policy Agent
Vulnerability with Colors package colors-1.4.0.tgz - OPA #152
Unanswered
Deepikakonda98
asked this question in
OPA and Rego
Replies: 1 comment
-
|
This seems to be a JavaScript dependency, correct? If so it isn’t something used in OPA. I’m on the phone right now so haven’t checked, but I’d guess if this is used somewhere in the project it would be either in the build chain or the docs, and I don’t think a “denial of service” attack makes a lot of sense in that context. Could you elaborate on how this affects OPA? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
We have been identified with below vulnerability in colors package.
colors-1.4.0.tgz with a CVSS score of 7.5. The package colors after 1.4.0 are vulnerable to Denial of Service (DoS) that was introduced through an infinite loop in the americanFlag module. Unfortunately this appears to have been a purposeful attempt by a maintainer of colors to make the package unusable, other maintainers' controls over this package appear to have been revoked in an attempt to prevent them from fixing the issue
Pls guide me if with OPA v0.38.0 the above vulnerability will be fixed?
Beta Was this translation helpful? Give feedback.
All reactions