[ https://issues.apache.org/jira/browse/NETBEANS-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brad Walker closed NETBEANS-4280. --------------------------------- Fix Version/s: (was: Next) 12.0 Resolution: Fixed Fixed and merged.. > cleanup potential security breaches > ----------------------------------- > > Key: NETBEANS-4280 > URL: https://issues.apache.org/jira/browse/NETBEANS-4280 > Project: NetBeans > Issue Type: Bug > Reporter: Brad Walker > Assignee: Brad Walker > Priority: Major > Fix For: 12.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > There are a few known security breaches in the sample source.. > Specifically the following alerts: > +CVE-2019-5484+ > Bower before 1.8.8 has a path traversal vulnerability permitting file write > in arbitrary locations via install command, which allows attackers to write > arbitrary files when a malicious package is extracted. > +CVE-2019-5413+ > An attacker can use the format parameter to inject arbitrary commands in the > npm package morgan < 1.9.1. > +CVE-2017-16137+ > The debug module is vulnerable to regular expression denial of service when > untrusted user input is passed into the o formatter. It takes around 50k > characters to block for 2 seconds making this a low severity issue. > I'm not saying these are critical. But, it's better we fix them to prevent > any possibility of using Netbeans IDE to allow someone to exploit this. As > well as set the proper example. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists