You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@netbeans.apache.org by "Brad Walker (Jira)" <ji...@apache.org> on 2020/04/29 22:38:00 UTC
[jira] [Created] (NETBEANS-4280) cleanup potential security
breaches
Brad Walker created NETBEANS-4280:
-------------------------------------
Summary: cleanup potential security breaches
Key: NETBEANS-4280
URL: https://issues.apache.org/jira/browse/NETBEANS-4280
Project: NetBeans
Issue Type: Bug
Reporter: Brad Walker
Assignee: Brad Walker
Fix For: Next
There are a few known security breaches in the sample source..
Specifically the following alerts:
+CVE-2019-5484+
Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.
+CVE-2019-5413+
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
+CVE-2017-16137+
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
I'm not saying these are critical. But, it's better we fix them to prevent any possibility of using Netbeans IDE to allow someone to exploit this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@netbeans.apache.org
For additional commands, e-mail: commits-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists