Brad Walker created NETBEANS-4280:
-------------------------------------
Summary: cleanup potential security breaches
Key: NETBEANS-4280
URL: https://issues.apache.org/jira/browse/NETBEANS-4280
Project: NetBeans
Issue Type: Bug
Reporter: Brad Walker
Assignee: Brad Walker
Fix For: Next
There are a few known security breaches in the sample source..
Specifically the following alerts:
+CVE-2019-5484+
Bower before 1.8.8 has a path traversal vulnerability permitting file write in
arbitrary locations via install command, which allows attackers to write
arbitrary files when a malicious package is extracted.
+CVE-2019-5413+
An attacker can use the format parameter to inject arbitrary commands in the
npm package morgan < 1.9.1.
+CVE-2017-16137+
The debug module is vulnerable to regular expression denial of service when
untrusted user input is passed into the o formatter. It takes around 50k
characters to block for 2 seconds making this a low severity issue.
I'm not saying these are critical. But, it's better we fix them to prevent any
possibility of using Netbeans IDE to allow someone to exploit this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
