[
https://issues.apache.org/jira/browse/NETBEANS-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brad Walker closed NETBEANS-4280.
---------------------------------
Fix Version/s: (was: Next)
12.0
Resolution: Fixed
Fixed and merged..
> cleanup potential security breaches
> -----------------------------------
>
> Key: NETBEANS-4280
> URL: https://issues.apache.org/jira/browse/NETBEANS-4280
> Project: NetBeans
> Issue Type: Bug
> Reporter: Brad Walker
> Assignee: Brad Walker
> Priority: Major
> Fix For: 12.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> There are a few known security breaches in the sample source..
> Specifically the following alerts:
> +CVE-2019-5484+
> Bower before 1.8.8 has a path traversal vulnerability permitting file write
> in arbitrary locations via install command, which allows attackers to write
> arbitrary files when a malicious package is extracted.
> +CVE-2019-5413+
> An attacker can use the format parameter to inject arbitrary commands in the
> npm package morgan < 1.9.1.
> +CVE-2017-16137+
> The debug module is vulnerable to regular expression denial of service when
> untrusted user input is passed into the o formatter. It takes around 50k
> characters to block for 2 seconds making this a low severity issue.
> I'm not saying these are critical. But, it's better we fix them to prevent
> any possibility of using Netbeans IDE to allow someone to exploit this. As
> well as set the proper example.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
