BradWalker opened a new pull request #2110: URL: https://github.com/apache/netbeans/pull/2110
There are a few known security breaches in the sample source.. Specifically the following alerts: CVE-2019-5484 Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted. CVE-2019-5413 An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. CVE-2017-16137 The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue. I'm not saying these are critical. But, it's better we fix them to prevent any possibility of using Netbeans IDE to allow someone to exploit this. As well as set the proper example. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
