You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@netbeans.apache.org by "Brad Walker (Jira)" <ji...@apache.org> on 2020/04/29 22:38:00 UTC

[jira] [Created] (NETBEANS-4280) cleanup potential security breaches

Brad Walker created NETBEANS-4280:
-------------------------------------

             Summary: cleanup potential security breaches
                 Key: NETBEANS-4280
                 URL: https://issues.apache.org/jira/browse/NETBEANS-4280
             Project: NetBeans
          Issue Type: Bug
            Reporter: Brad Walker
            Assignee: Brad Walker
             Fix For: Next


There are a few known security breaches in the sample source..

Specifically the following alerts: 

+CVE-2019-5484+
Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.


+CVE-2019-5413+
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.


+CVE-2017-16137+
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

I'm not saying these are critical. But, it's better we fix them to prevent any possibility of using Netbeans IDE to allow someone to exploit this.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@netbeans.apache.org
For additional commands, e-mail: commits-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists