Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2023-45857] Axios Cross-Site Request Forgery Vulnerability in transitive dependency #1440

Closed
patricknick opened this issue Nov 14, 2023 · 4 comments · Fixed by #2225
Closed

[CVE-2023-45857] Axios Cross-Site Request Forgery Vulnerability in transitive dependency #1440

patricknick opened this issue Nov 14, 2023 · 4 comments · Fixed by #2225
Assignees
@thomas11
Labels
area/mixins Custom mixin code customer/feedback Feedback from customers help-wanted We'd love your contributions on this issue impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed

Comments

@patricknick
Copy link

patricknick commented Nov 14, 2023
edited
Loading

What happened?

Github currently reports a vulnerability for Axios on the versions >= 0.8.1, < 1.6.0. Axios is used in adal-node, a transitive dependency of azure/ms-rest-nodeauth, which again is used by pulumi/azure.

When investigating the dependency chain, I noticed that adal-node is no longer maintained. azure/ms-rest-nodeauth is also not longer actively developed and is not planning to removed adal-node. See Azure/ms-rest-nodeauth#128. Instead, they suggest to migrate to @azure/identity.

This is blocking us from addressing the initial Axios security warning. Do you have plans to migrate away from azure/ms-rest-nodeauth?

Example

N/A

Output of pulumi about

N/A

Additional context

Affects @pulumi/azure v5.55.0

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@patricknick patricknick added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 14, 2023
@mikhailshilkov mikhailshilkov added impact/security area/mixins Custom mixin code and removed needs-triage Needs attention from the triage team labels Nov 15, 2023
@mikhailshilkov
Copy link
Member

Yes, thank you for bringing this up, we use that dependency in our callback function mixins. Any chance you have bandwidth to try to open a PR for such an upgrade?

@mikhailshilkov mikhailshilkov added the help-wanted We'd love your contributions on this issue label Nov 15, 2023
@levpachmanov
Copy link

Hey @patricknick @mikhailshilkov,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an axios 0.27.2-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

@patricknick
Copy link
Author

patricknick commented Nov 29, 2023
edited
Loading

@mikhailshilkov I looked briefly into the required upgrade steps to @azure/identity. Most of it does seem straight-forward, there is a migration guide available.

However, the new package is constructed a bit differently from the old one, meaning, not all options that Pulumi uses (for example ARM_MSI_ENDPOINT) are available anymore. I think a bit of knowledge about Azure Identity Management and the Pulumi codebase is required to make this change solid. Unfortunately, I don't know either, and the required ramp up does exceed my bandwidth at the moment. Or do you have any resources that could help with this?

@phillipedwards phillipedwards added the customer/feedback Feedback from customers label Jun 12, 2024
@thomas11 thomas11 mentioned this issue Jul 15, 2024
Merged
@pulumi-bot pulumi-bot added resolution/fixed This issue was fixed labels Jul 16, 2024
@pulumi-bot
Copy link
Contributor

This issue has been addressed in PR #2225 and shipped in release v5.84.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomas11 thomas11

Labels
area/mixins Custom mixin code customer/feedback Feedback from customers help-wanted We'd love your contributions on this issue impact/security kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
No milestone
6 participants
@thomas11 @mikhailshilkov @phillipedwards @patricknick @pulumi-bot @levpachmanov