[
https://issues.apache.org/jira/browse/NETBEANS-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17096767#comment-17096767
]
Brad Walker commented on NETBEANS-4280:
---------------------------------------
Hey @ebarboni, I really don't as this should be a pretty simple fix.
This is only a version bump and that's it. In addition, this is part of sample
code. So the risk is pretty minimal.
> cleanup potential security breaches
> -----------------------------------
>
> Key: NETBEANS-4280
> URL: https://issues.apache.org/jira/browse/NETBEANS-4280
> Project: NetBeans
> Issue Type: Bug
> Reporter: Brad Walker
> Assignee: Brad Walker
> Priority: Major
> Fix For: Next
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There are a few known security breaches in the sample source..
> Specifically the following alerts:
> +CVE-2019-5484+
> Bower before 1.8.8 has a path traversal vulnerability permitting file write
> in arbitrary locations via install command, which allows attackers to write
> arbitrary files when a malicious package is extracted.
> +CVE-2019-5413+
> An attacker can use the format parameter to inject arbitrary commands in the
> npm package morgan < 1.9.1.
> +CVE-2017-16137+
> The debug module is vulnerable to regular expression denial of service when
> untrusted user input is passed into the o formatter. It takes around 50k
> characters to block for 2 seconds making this a low severity issue.
> I'm not saying these are critical. But, it's better we fix them to prevent
> any possibility of using Netbeans IDE to allow someone to exploit this. As
> well as set the proper example.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
